New Vulnerability Scanner for API Shield
Cloudflare is launching the Web and API Vulnerability Scanner in open beta, a new dynamic application security testing (DAST) platform available to all API Shield customers. This tool helps development teams proactively identify logic flaws in their APIs before they reach production.
Key Capabilities
The initial release focuses on detecting Broken Object Level Authorization (BOLA) vulnerabilities, one of the most critical API security risks. The scanner works by:
- Building comprehensive API call graphs from your API specifications
- Simulating different user contexts (owner and attacker perspectives)
- Sending real HTTP requests to test these contexts against your endpoints
- Identifying authorization weaknesses and access control flaws
Getting Started
The vulnerability scanner is currently available via the Cloudflare API only. To use it, you'll need to:
- Set up your target environment with owner and attacker credentials
- Upload an OpenAPI specification file with response schemas
- Use the Cloudflare API to initiate scans and retrieve results
This API-first approach is designed for programmatic integration into CI/CD pipelines and security dashboards, enabling continuous security testing as part of your deployment workflow.
What's Next
Dashboard access to the scanner will be available in a future release. For now, teams can integrate the scanner directly into their security tooling and workflows. Refer to the developer documentation to begin scanning your API endpoints.