Active defense: introducing a stateful vulnerability scanner for APIs

Cloudflare is expanding its security offerings with the introduction of a Web and API Vulnerability Scanner, initially targeting the OWASP API Top 10 threat of Broken Object Level Authorization (BOLA). Unlike traditional defensive security measures like WAFs, which focus on blocking suspicious traffic, this scanner actively hunts for logical flaws in APIs, which appear as valid HTTP requests but conflict with business logic. Cloudflare's approach leverages its API Shield, which passively scans for anomalies and provides context for detecting vulnerabilities, and uses dynamic application security testing (DAST) to create new test traffic profiles. The scanner integrates seamlessly with existing Cloudflare security tools, utilizing features such as API Discovery and Schema Learning to automatically construct scan plans. It also employs Cloudflare's Workers AI platform to address inconsistencies in OpenAPI specifications, ensuring accurate modeling of API endpoint relationships. Built on proven infrastructure with robust security measures for handling API credentials, the scanner is launching as an Open Beta for API Shield customers and will gradually expand to include more API and web application threats.