whatwaf

Detect web application firewall (WAF) presence

TLDR

Detect protection on a single URL, optionally use verbose output

$ whatwaf [[-u|--url]] [https://example.com] --verbose

Detect protection on a list of URLs in parallel from a file (one URL per line)

$ whatwaf [[-t|--threads]] [number] [[-l|--list]] [path/to/file]

Send requests through a proxy and use custom payload list from a file (one payload per line)

$ whatwaf --proxy [http://127.0.0.1:8080] --pl [path/to/file] [[-u|--url]] [https://example.com]

Send requests through Tor (Tor must be installed) using custom payloads (comma-separated)

$ whatwaf --tor [[-p|--payloads]] '[payload1,payload2,...]' [[-u|--url]] [https://example.com]

Use a random user-agent, set throttling and timeout, send a POST request, and force HTTPS connection

$ whatwaf --ra --throttle [seconds] --timeout [seconds] [[-P|--post]] --force-ssl [[-u|--url]] [http://example.com]

List all WAFs that can be detected

$ whatwaf --wafs

List all available tamper scripts

$ whatwaf --tampers

-u, --url <target_url>
    Specifies the target URL to scan for WAF detection. This is a mandatory parameter.

-t, --timeout <seconds>
    Sets the connection timeout in seconds for HTTP requests. Default is typically 10 seconds.

-r, --retries <number>
    Specifies the number of retries for failed HTTP requests. Default is usually 3.

-p, --proxy <proxy_string>
    Configures an HTTP/S proxy for all requests (e.g., http://127.0.0.1:8080). Useful for debugging or routing through specific networks.

-a, --agents <file_path>
    Provides a file containing a list of user-agent strings to cycle through during requests, helping to evade simple user-agent blocking.

-v, --verbose
    Enables verbose output, displaying more detailed information about the detection process and responses.

--debug
    Enables debug output, providing even more detailed technical information for troubleshooting.

--list-wafs
    Lists all the WAF technologies that whatwaf is capable of detecting.

DESCRIPTION

The whatwaf command is a Python-based utility primarily used in web application security assessments and penetration testing to identify and fingerprint Web Application Firewalls (WAFs). WAFs are security solutions that protect web applications from various attacks, such as SQL injection, cross-site scripting (XSS), and denial-of-service (DoS).

whatwaf operates by sending a series of specifically crafted HTTP requests to a target URL and analyzing the responses for characteristic patterns, error messages, or headers that are indicative of a particular WAF technology. It helps security professionals understand the defense mechanisms in place, which is crucial for planning further testing or for tailoring exploits. The tool supports various detection techniques and can identify a range of commercial and open-source WAF products.

CAVEATS

whatwaf is not a standard Linux command and typically requires Python and pip for installation. Its WAF detection relies on fingerprinting and may not always be 100% accurate, especially against highly customized or obfuscated WAFs.

Users should ensure they have proper authorization before scanning any target website, as unauthorized scanning may be illegal.

INSTALLATION

whatwaf can typically be installed using pip, the Python package installer:
pip install whatwaf

Ensure Python 3 is installed on your system before attempting installation.

TYPICAL USAGE

To scan a target URL for WAFs:
whatwaf -u https://example.com

To use a proxy and verbose output:
whatwaf -u https://example.com -p http://127.0.0.1:8080 -v

HISTORY

Developed by security researchers and open-source contributors, whatwaf emerged as a specialized tool for automated WAF identification. It gained popularity within the penetration testing community for its dedicated focus, complementing broader vulnerability scanners by providing targeted WAF intelligence.