Overview

Cloudflare has launched an Open Beta of the Web and API Vulnerability Scanner for all API Shield customers. This new security testing platform is designed to help teams proactively identify logic flaws and authorization vulnerabilities in their APIs before they reach production.

Key Capabilities

The scanner leverages stateful Dynamic Application Security Testing (DAST) to analyze API behavior under different security contexts. The initial release focuses on detecting Broken Object Level Authorization (BOLA) vulnerabilities—a critical API security issue where attackers can access resources belonging to other users by manipulating object identifiers.

How it works:

• Builds API call graphs to understand API relationships and workflows
• Simulates both attacker and owner contexts
• Sends real HTTP requests to test authorization logic
• Reports vulnerabilities with actionable findings

Getting Started

The vulnerability scanner is available immediately via the Cloudflare API. To begin scanning:

1. Set up your target environment with owner and attacker credentials
2. Upload your OpenAPI file with response schemas
3. Run scans programmatically via the Cloudflare API

The feature is designed for CI/CD pipeline integration and can be embedded directly into security dashboards for continuous security testing.

Availability & Dashboard Integration

Currently available to API Shield subscribers via API only. Dashboard integration in the Cloudflare dashboard is planned for a future release. Refer to the developer documentation for detailed setup and usage instructions.