← Back
Cloudflare
Cloudflare launches stateful API vulnerability scanner in beta, targets BOLA attacks
Cloudflare · featuresecurityapiplatform · blog.cloudflare.com ↗

Active Defense for APIs

Cloudflare is expanding its Application Security platform with a new Web and API Vulnerability Scanner now available in beta. The scanner addresses a critical gap in API security: logic-based vulnerabilities that bypass traditional defensive tools.

The BOLA Problem

The scanner focuses initially on Broken Object Level Authorization (BOLA)—the most pervasive vulnerability in the OWASP API Top 10. Unlike SQL injection or XSS attacks that have detectable signatures, BOLA exploits occur through perfectly valid HTTP requests with correct syntax and valid authentication tokens. Attackers simply substitute another user's resource identifier to access or modify their data. For example, an authenticated user could change another user's delivery address by simply altering the order ID in an API request.

Why Passive Detection Isn't Enough

Cloudflare previously launched passive BOLA detection within API Shield that identifies anomalies in production traffic. However, passive scanning requires extensive baseline context—understanding normal user behavior, valid parameters, and API patterns. This approach fails in development environments without traffic, production systems lacking attack patterns, or organizations that want proactive testing rather than reactive monitoring.

Stateful Scanning Advantage

Cloudflare's scanner overcomes traditional DAST tool limitations through several innovations:

  • Stateful request chaining: Creates logical sequences of API calls (e.g., creating test objects before attempting to manipulate them), mimicking real attack patterns
  • Integrated results: Findings appear in Security Insights alongside other Cloudflare security posture data
  • API Shield context: Leverages existing API Shield deployments for seamless integration
  • Built-in authentication: Handles modern login flows automatically

The scanner will expand beyond BOLA to cover additional API and web vulnerabilities over time.

Availability

The Web and API Vulnerability Scanner is available in beta for existing API Shield customers.