Timeout configuration controls how long whatwaf waits for each probe request to complete. Proper timeout values are crucial for accurate WAF detection, especially when working with slow networks or proxies.
CLI usage
Use the -T or --timeout flag to set the timeout in seconds:
whatwaf -T 30 https://example.com
whatwaf --timeout 5 https://fast-target.com
Default value
The default timeout is 10 seconds (cli.rs:10):
#[arg(short = 'T', long = "timeout", default_value_t = 10)]
pub timeout: u64,
Library usage
Set the timeout field in ScanConfig:
use whatwaf::{scan_url, ScanConfig};
let config = ScanConfig {
timeout: 30, // 30 seconds
follow_redirects: false,
proxy: None,
};
let result = scan_url("https://example.com", config, None)?;
reqwest::Client::builder().timeout() (lib.rs:83):
let mut builder = Client::builder().timeout(Duration::from_secs(config.timeout));
Why timeout matters for WAF detection
Timeout configuration affects WAF detection in several ways:
1. WAF processing time
WAFs may take longer to analyze and block malicious requests compared to normal requests. A timeout that’s too short might cause false negatives:
# Too short - may miss WAF detections
whatwaf -T 2 https://example.com
# Better - allows time for WAF processing
whatwaf -T 10 https://example.com
2. Network conditions
Slow networks or remote targets may require longer timeouts:
let config = ScanConfig {
timeout: 20, // Longer timeout for international targets
follow_redirects: false,
proxy: None,
};
3. Proxy overhead
Proxies add latency. Increase timeout when using proxies:
whatwaf -T 30 -x http://127.0.0.1:8080 https://example.com
4. Per-request timeout
whatwaf runs 4 probe requests per scan (lib.rs:76-81):
let probes = vec![
("plain request", None),
("xss", Some(("q", "<script>alert(1)</script>"))),
("sql injection", Some(("id", "' OR '1'=1'"))),
("lfi", Some(("file", "../../../../etc/passwd"))),
];
timeout × 4 seconds.
If early probes detect a WAF, the scan stops early and doesn’t wait for all timeouts.
Recommended values for different scenarios
| Scenario | Recommended Timeout | Reasoning |
|---|
| Fast local network | 5 seconds | Low latency, quick responses |
| Standard internet target | 10 seconds (default) | Balanced for most cases |
| Slow or remote target | 20-30 seconds | High latency networks |
| With proxy (Burp, etc.) | 20-30 seconds | Proxy adds overhead |
| Corporate network | 15-20 seconds | Potential filtering delays |
| Tor or SOCKS proxy | 30-60 seconds | High latency anonymization |
Error handling
If a request times out, you’ll receive a ScanError::Request error (lib.rs:107-110):
pub enum ScanError {
Request {
url: String,
source: reqwest::Error,
},
// ...
}
request failed for https://example.com?q=<script>alert(1)</script>: operation timed out
Timeouts that are too short can cause false negatives where WAFs are present but not detected. When in doubt, increase the timeout value.
Examples
Quick scan for fast targets
whatwaf -T 5 https://local-dev.example.com
Patient scan through Burp Suite
whatwaf -T 30 -x http://127.0.0.1:8080 https://target.com
Library usage with custom timeout
use whatwaf::{scan_url, ScanConfig, ScanError};
let config = ScanConfig {
timeout: 15,
follow_redirects: true,
proxy: None,
};
match scan_url("https://example.com", config, None) {
Ok(result) => {
if let Some(r) = result {
if let Some(wafs) = r.detected_wafs {
println!("Detected WAFs: {}", wafs.join(", "));
} else {
println!("No WAF detected");
}
}
}
Err(ScanError::Request { url, source }) => {
eprintln!("Request timeout for {}: {}", url, source);
}
Err(e) => eprintln!("Scan error: {}", e),
}
See also