wafw00f

Check if a website is using any WAF

$ wafw00f [https://www.example.com]

$ wafw00f [[-a|--findall]] [https://www.example.com]

$ wafw00f [[-p|--proxy]] [http://localhost:8080] [https://www.example.com]

$ wafw00f [[-t|--test]] [Cloudflare|Cloudfront|Fastly|ZScaler|...] [https://www.example.com]

$ wafw00f [[-H|--headers]] [path/to/headers.txt] [https://www.example.com]

$ wafw00f [[-i|--input]] [path/to/urls.txt] -[vv]

$ wafw00f [[-l|--list]]

wafw00f [options]

-h, --help
    Show the program's help message and exit.

-v, --version
    Show the program's version number and exit.

-a, --findall
    Find all WAFs, do not exit on first match.

-r, --followredirects
    Follow HTTP redirects.

-t, --test=
    Test for a specific WAF by its name.

-l, --list
    List all supported WAFs.

-p, --proxy=
    Use an HTTP/SOCKS proxy. E.g.,
http://127.0.0.1:8080

-i, --input=
    Read targets from a file, one URL per line.

-o, --output=
    Output results to a file.

-f, --format=
    Output format: json, xml, html, or text (default is text).

-V, --verbose
    Enable verbose output.

-d, --debug
    Enable debug output for detailed information.

-s, --strict
    Use strict mode, only return highly confident matches.

-c, --nocaching
    Disable caching of WAF rules.

-u, --ua=
    Specify a custom User-Agent string.

-H, --headers=
    Add custom HTTP headers. Can be used multiple times.

wafw00f is an open-source tool designed to identify and fingerprint Web Application Firewalls (WAFs). It works by sending a series of both normal and deliberately malicious HTTP requests to a target web server. By analyzing the responses, including status codes, headers, and body content, wafw00f attempts to determine if a WAF is present, and if so, which vendor or product it belongs to. This makes it an invaluable asset for penetration testers, security researchers, and developers who need to understand and assess the security controls in place on a web application. It supports a wide range of known WAF products, employs both passive (response analysis) and active (payload-based) detection techniques, and offers features like proxy support, input from files, and various output formats for integration into other workflows.

While wafw00f is highly effective, it's not infallible. False positives or negatives can occur, especially with highly customized WAF rules, very new WAF products, or when facing advanced evasion techniques. Network conditions and server responsiveness can also affect accuracy. Users should always obtain proper authorization before scanning any target system, as unauthorized scanning may be illegal or violate terms of service.

wafw00f employs a two-pronged approach for WAF detection:
1. Passive Detection: It analyzes the HTTP response headers and body content for patterns or specific strings indicative of known WAFs without sending malicious payloads.
2. Active Detection: It sends a variety of malicious HTTP payloads (e.g., SQL injection, XSS) and observes how the WAF responds to these attempts, looking for characteristic block pages, redirect patterns, or specific error messages.

Scan a single URL:
wafw00f https://www.example.com

Scan a URL with verbose output and follow redirects:
wafw00f -r -V https://www.example.com

Scan multiple URLs from a file and output to JSON:
wafw00f -i urls.txt -f json -o results.json

Test for a specific WAF using a proxy:
wafw00f -t Cloudflare -p http://127.0.0.1:8080 https://www.example.com

wafw00f was initially developed by Sandeep Singh and has since been nurtured by a community of contributors, becoming a staple in the arsenal of security professionals. It is an open-source project, continuously updated to include detection for new WAF technologies and improve existing fingerprints. Its inclusion in popular security distributions like Kali Linux has cemented its status as a go-to tool for WAF identification.

nmap(1), curl(1), nikto(1), whatweb(1)