Cloudflare has announced the open beta of its Web and API Vulnerability Scanner. This Dynamic Application Security Testing (DAST) tool is part of the API Shield platform. The first release focuses only on Broken Object Level Authorization (BOLA), which is ranked first in the OWASP API Top 10. Future updates will expand to cover the wider OWASP Web Top 10, including SQL injection and cross-site scripting.
The most dangerous API vulnerabilities today aren’t just basic injection attacks or malformed requests that a WAF can easily detect. They are logic flaws, perfectly valid HTTP requests that meet the protocol and application spec but defy the business logic. A WAF, no matter how well set up, can’t catch a request when an authenticated user just changes another user’s resource ID in a path parameter. The request is correct in structure and meaning. The issue lies solely with the server’s authorization logic.
Last year, Cloudflare launched BOLA vulnerability detection for API Shield. This tool automatically spots vulnerabilities by passively scanning customer traffic for any unusual patterns. Passive detection works well when traffic volume is enough and attack patterns are visible. But development environments may need to be tested but lack user traffic, and production environments may have a lack of attack traffic, yet still need analysis. In these cases, which cover most pre-production security workflows, teams need to create their own synthetic test traffic. That’s what DAST tools are made for.
The issue with traditional DAST tools is their high barrier to entry. They can be difficult to set up and often need manual uploads of Swagger/OpenAPI files. They also struggle with modern login flows and often lack API-specific security tests.
Cloudflare believes that finding authorization flaws works best by viewing the API as a call graph instead of a simple list of endpoints. To find a BOLA vulnerability, a resource must first exist on the server side. An owner must first make a creation request, called a genesis POST. Only then can an attacker try to access or change the resource using their own valid credentials. Most legacy scanners handle each request separately. This makes it difficult to recreate this kind of dependency chain.
The scanner uses Cloudflare’s own Workers AI platform to tackle this fuzzy problem space. Models like OpenAI’s open-weight gpt-oss-120b can reliably match data dependencies. They can also create realistic fake data when needed, effectively filling in gaps in OpenAPI specifications. Structured outputs from the model connect natural language reasoning to machine-executable scan instructions.
The scanner’s control plane uses Temporal for scan orchestration. Other internal services at Cloudflare already depend on it. The entire backend is built in Rust. Cloudflare uses HashiCorp’s Vault Transit Secret Engine to handle credentials. This service provides encryption-as-a-service, which is key for testing authorization. Credentials are encrypted right after submission. The public API layer cannot decrypt them. Decryption only happens at the final stage when a test plan requests access to the customer’s infrastructure.
The scanner is currently available in open beta for API Shield customers. Results appear in Cloudflare’s Security Insights dashboard alongside existing posture findings. Teams can use the Cloudflare API to trigger scans, manage settings, and get results. This allows for direct integration into CI/CD pipelines or security dashboards. Cloudflare has opened a waitlist for the new web application vulnerability scan tier. This will address common threats like SQLi and XSS.
Cloudflare enters the API DAST space, which is crowded and fragmented. The comparison is revealing. Salt Security, a key player in API security, mainly uses passive methods. It detects BOLA attacks through traffic analysis. Salt claims that capturing a BOLA attack requires monitoring API behaviour over days or weeks. This involves long analysis windows across trillions of API calls. This method works well in stable environments but leaves development pipelines blind.
