SECURITY is shifting from pure defence to active testing with the beta launch of Cloudflare’s Web and API Vulnerability Scanner, aimed at detecting logic flaws in APIs, starting with Broken Object Level Authorization (BOLA) as the first vulnerability type. The tool will be available first for API Shield customers, with plans to add more scan types for APIs and web applications over time.
It builds an automatic scan plan by modelling API calls using OpenAPI specifications and an API call graph, where attackers and owners have separate credentials to help reveal authorization flaws. The scanner relies on Cloudflare’s edge position, passive traffic insight, and a new stateful DAST platform, enabling net-new HTTP requests to verify detected risks. It uses HashiCorp’s Vault Transit Secret Engine to encrypt credentials and keep them securely stored, with decryption occurring only during test execution.
Cloudflare notes the beta is open to API Shield customers today, with future releases expected to broaden coverage to other OWASP Web Top 10 threats and integrate with CI/CD pipelines.