Introducing Cloudflare's Stateful Vulnerability Scanner for APIs

Cloudflare has launched a beta version of its Web and API Vulnerability Scanner, focusing on Broken Object Level Authorization (BOLA), a pervasive and difficult-to-catch threat on the OWASP API Top 10. This scanner actively identifies logic flaws in APIs, which are often overlooked by traditional web application firewalls (WAFs) and bot management offerings. The scanner will be available first for API Shield customers.

Key Technical Details

The scanner uses a stateful approach to identify vulnerabilities, which involves actively sending API test traffic or passively listening to existing API traffic. This requires context about what a "valid" API call looks like, including variable parameters, typical user behavior, and how the API behaves when those parameters are manipulated. The scanner will add more vulnerability scan types over time, including both API and web application threats.

Practical Implications for Developers

Developers can benefit from using Cloudflare's stateful vulnerability scanner to identify and fix logic flaws in their APIs. This can be particularly useful for APIs that communicate with mobile applications or other external systems. By actively scanning for vulnerabilities, developers can ensure that their APIs are secure and prevent attacks like BOLA, which can result in unauthorized access to user data.

Timeline and Availability

The Web and API Vulnerability Scanner is currently in beta and available first for API Shield customers. As the scanner evolves, it will add more vulnerability scan types and become available to a wider range of customers.