loading
loading
Scanners
Identify and fingerprint Web Application Firewall products protecting a website.
overview
wafw00f tells you which Web Application Firewall sits in front of a site. It sends crafted probes and reads how the target reacts, then matches that behavior against a library of signatures covering dozens of commercial and open-source WAFs. Knowing the product up front shapes later fuzzing and scanning, because defenses differ by vendor.
Each WAF leaves tells: headers, block-page wording, cookie names, or status patterns under attack-like probes. wafw00f triggers and reads those tells. --findall keeps testing past the first match so stacked WAFs both show up, and --test narrows a run to one product when you only need to confirm a suspicion.
Run it before active scanning so the rest of the pipeline knows what defense it faces. Emit JSON or CSV with --format so the detected WAF becomes a structured field downstream tooling can branch on. On Trickest the Scanners node takes URLs or an input file and writes a file and a folder of results.
use cases
Identify the firewall in front of a target so later fuzzing and scanning can be tuned to the defense it faces.
Use --findall so wafw00f keeps testing past the first signature match and reports every WAF layered in front of the site.
Narrow a run with --test to check for one named WAF when you only need to verify a suspicion rather than enumerate.
Feed --input-file of URLs in CSV, JSON, or text so a whole estate gets WAF-tagged in a single node for branching downstream.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | · | Specify target url(s) url1 [url2 [url3 ... ]]. |
| input-file | FILE | --input-file | Read targets from a file (csv, json, or text; a url column is required). |
| test | STRING | --test | Test for one specific WAF. |
| findall | BOOLEAN | --findall | Find all matching WAFs; do not stop on the first one. |
| format | STRING | --format | Force output format to csv, json, or text. |
| proxy | STRING | --proxy | Use an HTTP or SOCKS proxy for requests. |
| headers | FILE | --headers | Pass custom headers via a text file to overwrite the default set. |
| noredirect | BOOLEAN | --noredirect | Do not follow redirections given by 3xx responses. |
Showing key inputs. wafw00f exposes 11 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | · | Specify target url(s) url1 [url2 [url3 ... ]] |
| list | BOOLEAN | --list | List all WAFs that WAFW00F is able to detect |
| test | STRING | --test | Test for one specific WAF |
| proxy | STRING | --proxy | Use an HTTP proxy to perform requests, examples: http://hostname:8080, socks5://hostname:1080, http://user:pass@hostname:8080 |
| format | STRING | --format | Force output format to csv, json or text. |
| findall | BOOLEAN | --findall | Find all WAFs which match the signatures, do not stop testing on the first one |
| headers | FILE | --headers | Pass custom headers via a text file to overwrite the default header set. |
| verbose | BOOLEAN | --verbose | Enable verbosity |
| no-colors | BOOLEAN | --no-colors | Disable ANSI colors in output. |
| input-file | FILE | --input-file | Read targets from a file. Input format can be csv, json or text. For csv and json, a `url` column name or element is required. |
| noredirect | BOOLEAN | --noredirect | Do not follow redirections given by 3xx responses |
example
# fingerprint WAFs on a URL list, keep every match, JSON outwafw00f --input-file urls.txt --findall --format json --noredirect[+] The site https://www.example.com is behind Cloudflare (Cloudflare Inc.)[+] The site https://app.example.com is behind AWS Elastic Load Balancer (Amazon)[+] The site https://api.example.com is behind ModSecurity (OWASP ModSecurity)[*] Number of requests: 42[*] Finding all matches enabled; continuing past first hit[*] Output written (json)guidance
Use wafw00f before active testing to learn which WAF protects a target, so payloads and rate limits can be tuned to it. It fingerprints the firewall but does not bypass it. Pair it with a bypass tool like nomore403 or bypass-403 when a WAF is blocking access you need.
Another WAF detector that also suggests bypasses. wafw00f has the broader, well-maintained signature set.
Attempts to bypass 403 and WAF blocks. Run it after wafw00f identifies the firewall.
Fingerprints web technologies broadly. wafw00f focuses specifically on the WAF layer.
faq
related
Find reflected XSS during recon by checking payload reflection.
Fast and customizable subdomain wordlist generator using patterns.
Scans software bills of materials for security vulnerabilities.
Find broken links, missing images, and other dead references within your HTML.
A command-line scanner that finds exposed services, files, and folders through the web root.
A CMS detection and exploitation suite.
A URL feeds wafw00f, which probes the site, matches the response against its signature library, and writes the detected WAF as a queryable output.
Facts on this page come from the live Trickest tool library.