Cloudflare has launched an open beta of its Web and API Vulnerability Scanner, a Dynamic Application Security Testing (DAST) tool that actively hunts for Broken Object Level Authorization (BOLA) vulnerabilities at the edge.
Cloudflare has announced the open beta of its Web and API Vulnerability Scanner, a Dynamic Application Security Testing (DAST) tool that actively hunts for Broken Object Level Authorization (BOLA) vulnerabilities at the edge. The tool is part of the API Shield platform and marks Cloudflare's entry into the crowded and fragmented API DAST space.
The first release focuses exclusively on BOLA, which tops the OWASP API Top 10 list. Future updates will expand to cover the wider OWASP Web Top 10, including SQL injection and cross-site scripting. The scanner is currently available in open beta for API Shield customers, with results appearing in Cloudflare's Security Insights dashboard alongside existing posture findings.
Why Traditional WAFs Fall Short
The most dangerous API vulnerabilities today aren't basic injection attacks or malformed requests that a Web Application Firewall (WAF) can easily detect. They are logic flaws—perfectly valid HTTP requests that meet the protocol and application spec but defy business logic.
A WAF, no matter how well configured, cannot catch a request when an authenticated user simply changes another user's resource ID in a path parameter. The request is structurally correct and semantically valid. The issue lies solely with the server's authorization logic.
Last year, Cloudflare launched BOLA vulnerability detection for API Shield using passive scanning. This tool automatically spots vulnerabilities by passively scanning customer traffic for unusual patterns. Passive detection works well when traffic volume is sufficient and attack patterns are visible. But development environments may need testing yet lack user traffic, and production environments may have a lack of attack traffic yet still need analysis.
In these cases—which cover most pre-production security workflows—teams need to create their own synthetic test traffic. That's what DAST tools are made for.
The Challenge with Traditional DAST Tools
The issue with traditional DAST tools is their high barrier to entry. They can be difficult to set up and often require manual uploads of Swagger/OpenAPI files. They also struggle with modern login flows and often lack API-specific security tests.
Cloudflare believes that finding authorization flaws works best by viewing the API as a call graph instead of a simple list of endpoints. To find a BOLA vulnerability, a resource must first exist on the server side. An owner must first make a creation request, called a genesis POST. Only then can an attacker try to access or change the resource using their own valid credentials.
Most legacy scanners handle each request separately. This makes it difficult to recreate this kind of dependency chain.
Cloudflare's AI-Powered Approach
The scanner uses Cloudflare's own Workers AI platform to tackle this fuzzy problem space. Models like OpenAI's open-weight gpt-oss-120b can reliably match data dependencies. They can also create realistic fake data when needed, effectively filling in gaps in OpenAPI specifications. Structured outputs from the model connect natural language reasoning to machine-executable scan instructions.
The scanner's control plane uses Temporal for scan orchestration. Other internal services at Cloudflare already depend on it. The entire backend is built in Rust.
Cloudflare uses HashiCorp's Vault Transit Secret Engine to handle credentials. This service provides encryption-as-a-service, which is key for testing authorization. Credentials are encrypted right after submission. The public API layer cannot decrypt them. Decryption only happens at the final stage when a test plan requests access to the customer's infrastructure.
Teams can use the Cloudflare API to trigger scans, manage settings, and get results. This allows for direct integration into CI/CD pipelines or security dashboards.
The Competitive Landscape
Cloudflare enters the API DAST space, which is crowded and fragmented. The comparison is revealing. Salt Security, a key player in API security, mainly uses passive methods. It detects BOLA attacks through traffic analysis. Salt claims that capturing a BOLA attack requires monitoring API behavior over days or weeks. This involves long analysis windows across trillions of API calls.
This method works well in stable environments but leaves development pipelines blind. Cloudflare's active scanning approach fills this gap by enabling security testing in pre-production environments where passive monitoring cannot reach.
Cloudflare has opened a waitlist for the new web application vulnerability scan tier. This will address common threats like SQL injection and cross-site scripting.
The scanner represents a significant evolution in API security testing, combining AI-powered dependency analysis with edge-based execution to catch the authorization flaws that traditional tools miss.
Comments
Please log in or register to join the discussion