Web Application Analysiswafweb-application-firewallfingerprintingdetectionhttp

wafw00f

wafw00f identifies and fingerprints Web Application Firewall products. It detects WAF solutions by analyzing HTTP responses to normal and potentially malicious requests.

Description

wafw00f is a tool designed to identify and fingerprint Web Application Firewall (WAF) products. It helps security professionals and penetration testers detect protective layers on web applications by recognizing signatures from various WAF vendors.

Use cases include reconnaissance during vulnerability assessments, verifying WAF presence before testing web applications, and mapping security configurations of target websites. The tool is particularly useful in penetration testing workflows to understand defensive measures in place.

It operates non-intrusively in most cases but can send potentially malicious HTTP requests when initial detection fails, providing comprehensive WAF identification.

How It Works

The tool first sends a normal HTTP request and analyzes the response to identify certain WAF solutions. If unsuccessful, it sends multiple potentially malicious HTTP requests and applies simple logic to deduce the WAF product. As a final step, it analyzes previous responses using another algorithm to detect if a WAF or security solution is actively responding.

Installation

bash
sudo apt install wafw00f

Flags

-h, --helpshow this help message and exit
-v, --verboseEnable verbosity, multiple -v options increase verbosity
-a, --findallFind all WAFs which match the signatures, do not stop testing on the first one
-r, --noredirectDo not follow redirections given by 3xx responses
-t TEST, --test=TESTTest for one specific WAF
-o OUTPUT, --output=OUTPUTOutput results to specified file

Examples

Basic usage: test a single URL for WAF presence
wafw00f http://www.victim.org/
Test multiple URLs simultaneously for WAF detection
wafw00f http://example.com http://test.com
Enable verbose output for detailed detection process
wafw00f -v http://www.victim.org/
Increase verbosity level for more detailed logging
wafw00f -vv http://www.victim.org/
Find all matching WAF signatures without stopping at first match
wafw00f -a http://www.victim.org/
Test without following HTTP 3xx redirects
wafw00f -r http://www.victim.org/
Test specifically for Cloudflare WAF
wafw00f -t Cloudflare http://www.victim.org/
Updated 2026-04-16kali.org ↗