loading
loading
Recon
Detect and bypass web application firewalls and protection systems.
overview
whatwaf probes a URL with crafted payloads and matches the response against firewall signatures, then optionally tests tamper scripts that may evade the block. Use it to learn which product sits in front of an app before heavier scanning.
--skip limits the run to identification without bypass attempts. --list and --threads scale the same check across many hosts, and --json or --csv capture structured results for later branching.
On Trickest the Recon node takes a URL or list and writes a file and a folder. Pair it with wafw00f for a second fingerprint opinion, then tune scanners to the defense you found.
source github.com/Ekultek/WhatWaf
use cases
Run --url against a target so later fuzzing and nuclei templates account for the firewall product.
Pass --skip when you need the vendor name without spending time on tamper-script evaluation.
Feed --list of hosts and raise --threads so an estate gets WAF-tagged in one pass.
Enable --json so downstream nodes can route differently when Cloudflare, ModSecurity, or no WAF is present.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | --url | Single URL to detect protection on. |
| list | FILE | --list | File of URLs, one per line, to detect protection on. |
| skip | BOOLEAN | --skip | Identify the firewall without checking bypasses. |
| json | BOOLEAN | --json | Write output to a JSON file. |
| threads | STRING | --threads | Number of parallel request threads (default 1). |
| determine-webserver | BOOLEAN | --determine-webserver | Attempt to identify the backend web server. |
| fingerprint | BOOLEAN | --fingerprint | Save all fingerprints for further investigation. |
| random-user-agent | BOOLEAN | --ra | Use a random user-agent for HTTP requests. |
Showing key inputs. whatwaf exposes 30 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| csv | BOOLEAN | --csv | Send the output to a CSV file |
| url | STRING | --url | Pass a single URL to detect the protection |
| burp | FILE | --burp | Pass a Burp Suite request file to perform WAF evaluation |
| data | STRING | --data | Send this data with the POST request (*default=random) |
| hide | BOOLEAN | --hide | Hide the banner during the run |
| json | BOOLEAN | --json | Send the output to a JSON file |
| list | FILE | --list | Pass a file containing URL's (one per line) to detect the protection |
| post | BOOLEAN | --post | Send a POST request (*default=GET) |
| skip | BOOLEAN | --skip | Skip checking for bypasses and just identify the firewall |
| test | BOOLEAN | --test | Test the connection to the website before starting (*default=True) |
| yaml | BOOLEAN | --yaml | Send the output to a YAML file |
| proxy | STRING | --proxy | Provide a proxy to run behind in the format type://address:port (IE socks5://10.54.127.4:1080) (*default=None) |
| encode | STRING | --encode | Encode a provided payload using provided tamper script(s) you are able to payy multiple tamper script load paths to this argument and the payload will be tampered as requested |
| googler | FILE | --googler | Pass a JSON file from the Googler CMD line tool (IE googler -n 100 --json >> googler.json) |
| headers | STRING | --headers | Add your own custom headers to the request. To use multiple separate headers by comma. Your headers need to be exact(IE: Set-Cookie=a345ddsswe,X-Forwarded-For:127.0.0.1) (*default=None) |
| threads | STRING | --threads | Send requests in parallel (specify number of threads (*default=1) |
| timeout | STRING | --timeout | Control the timeout time of the requests (*default=15) |
| verbose | BOOLEAN | --verbose | Run in verbose mode (more output) |
| payloads | STRING | --payloads | Provide your own payloads separated by a comma IE AND 1=1,AND 2=2 |
| throttle | STRING | --throttle | Provide a sleep time per request (*default=0) |
| force-ssl | BOOLEAN | --force-ssl | Force the assignment of HTTPS instead of HTTP while processing (*default=HTTP unless otherwise specified by URL) |
| force-file | BOOLEAN | --force-file | Force the creation of a file even if there is no protection identified |
| tamper-int | STRING | --tamper-int | Control the amount of tampers that are displayed (*default=5) |
| user-agent | STRING | --pa | Provide your own personal agent to use it for the HTTP requests |
| verify-num | STRING | --verify-num | Change the request amount to verify if there really is not a WAF present(*default=5) |
| encode-list | STRING | --encode-list | Encode a file containing payloads (one per line) by passing the path and load path, files can only encoded using a single tamper script load path |
| fingerprint | BOOLEAN | --fingerprint | Save all fingerprints for further investigation |
| payload-list | FILE | --pl | Provide a file containing a list of payloads 1 per line |
| random-user-agent | BOOLEAN | --ra | Use a random user-agent for the HTTP requests (*default=whatwaf/2.1.6.3 (Language=3.10.12; Platform=Linux)) |
| determine-webserver | BOOLEAN | --determine-webserver | Attempt to determine what web server is running on the backend (IE Apache, Nginx, etc.. *default=False) |
example
# identify WAF only (no bypass attempts), JSON outwhatwaf --url https://example.com --skip --json --ra[~] checking https://example.com[+] detected: Cloudflare[~] checking https://api.example.com[+] detected: AWS WAF[~] checking https://www.example.com[+] detected: ModSecurity[~] checking https://staging.example.com[*] no WAF detected[~] checking https://198.51.100.55[+] detected: Impervaguidance
Run WhatWaf before scanning to learn whether a WAF guards the target and how it might be evaded. It detects and suggests bypasses, it does not exploit. Pair it with wafw00f for a second opinion on detection, and with a scanner for the actual testing.
Focused WAF fingerprinter. Strong at identification; WhatWaf adds tamper-bypass suggestions.
Template scanner that can include WAF-detection templates as part of a broader run.
Identifies web technologies broadly, including some firewall signals, rather than focusing on WAF bypass.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A URL feeds WhatWaf, which fingerprints the firewall in the path before nuclei scans the host and writes findings as a queryable output.
Facts on this page come from the live Trickest tool library.