← Back
Cloudflare
Cloudflare launches beta API vulnerability scanner for BOLA detection
Cloudflare · featuresecurityapirelease · blog.cloudflare.com ↗

Introducing Active Defense for APIs

Cloudflare has launched the beta of its Web and API Vulnerability Scanner, a new security offering designed to hunt for logic flaws in APIs that passive defenses cannot catch. The scanner focuses first on Broken Object Level Authorization (BOLA), the most pervasive vulnerability on the OWASP API Top 10 list.

Why Traditional Security Misses API Logic Flaws

Traditional Web Application Firewalls (WAFs) excel at catching syntax-based attacks like SQL injection and cross-site scripting, which have clear signatures. API vulnerabilities are fundamentally different—they manifest as perfectly valid HTTP requests that conform to protocol and application specifications but violate business logic.

For example, an attacker with a valid authentication token could modify another user's order by changing the order_id parameter in a PATCH request. The request headers are valid, the schema is correct, and the token is legitimate—yet the API failed to verify the requester actually owns the order. A traditional WAF cannot detect this because the request itself is syntactically flawless.

Stateful Scanning for Authorization Testing

The scanner uses Dynamic Application Security Testing (DAST) principles with a critical improvement: stateful request chaining. Unlike legacy DAST tools that evaluate requests in isolation, Cloudflare's scanner can chain requests together in logical sequences—creating test objects before attempting to access them—to properly test authorization controls across object relationships.

Key features include:

  • Integrated into Security Insights: Results appear alongside other Cloudflare security findings for contextual visibility
  • Built for modern APIs: No manual OpenAPI/Swagger file management required; leverages existing API Shield telemetry
  • Available to API Shield customers: Initially available for customers already using API Shield
  • Planned expansion: BOLA detection is just the first scan type; additional API and web application vulnerabilities will be added over time

Next Steps for Developers

API Shield customers can access the Web and API Vulnerability Scanner beta through the Cloudflare dashboard. The beta will help security teams proactively identify authorization logic gaps before they become production incidents, particularly useful for testing development environments with limited traffic or validating production APIs without relying solely on attack detection.