Skip to main content
This guide covers common issues you may encounter when using whatwaf and how to resolve them.

No WAF detected (false negatives)

Problem

whatwaf completes the scan but reports “no waf detected” even though you know a WAF is present. 
* scanning https://example.com
* plain request probe -> https://example.com
	- no detection (status=200)
* xss probe -> https://example.com?q=<script>alert(1)</script>
	- no detection (status=200)
* sql injection probe -> https://example.com?id=' OR '1'=1'
	- no detection (status=200)
* lfi probe -> https://example.com?file=../../../../etc/passwd
	- no detection (status=200)
~ no waf detected

Solutions

1. WAF not in detection database

whatwaf only detects WAFs it has signatures for. List supported WAFs: 
whatwaf --list
If your target’s WAF isn’t listed, it won’t be detected.

2. WAF in monitoring mode

Some WAFs run in “monitoring” or “detection-only” mode and don’t block requests. They return status 200 without distinctive headers.
Check if the WAF blocks more aggressive payloads or different attack vectors not covered by whatwaf’s probes.

3. Insufficient timeout

WAFs may take time to analyze requests. Increase the timeout: 
whatwaf -T 30 https://example.com
See Custom timeouts for more details.

4. Redirect handling disabled

If the target redirects and you’re not following redirects, the WAF may be on the redirect target: 
whatwaf -L https://example.com
The -L flag enables redirect following (cli.rs:14-15).

Connection errors

Timeout errors

Error message

! scan failed: request failed for https://example.com: operation timed out

Cause

Request exceeded the timeout value (default: 10 seconds). This is a ScanError::Request error (lib.rs:36-39): 
ScanError::Request {
    url: String,
    source: reqwest::Error,
}

Solutions

  1. Increase timeout: Use -T flag with a higher value
whatwaf -T 30 https://slow-target.com
  1. Check network connectivity: Verify you can reach the target
curl -v https://example.com
  1. Check proxy settings: If using a proxy, ensure it’s reachable
# Test proxy connectivity
curl -x http://127.0.0.1:8080 https://example.com

DNS resolution failures

Error message

! scan failed: request failed for https://invalid-domain.example: failed to lookup address information

Solutions

  1. Verify the domain: Ensure the URL is correct
# Test DNS resolution
nslookup example.com
  1. Check DNS configuration: Ensure your DNS resolver is working
cat /etc/resolv.conf

Proxy issues

Invalid proxy configuration

Error message

! scan failed: invalid proxy 'http://invalid-proxy:8080': failed to lookup address information

Cause

This is a ScanError::InvalidProxy error (lib.rs:31-34): 
ScanError::InvalidProxy {
    proxy: String,
    source: reqwest::Error,
}
The proxy URL is malformed or the proxy server is unreachable.

Solutions

  1. Verify proxy URL format:
# Correct formats
whatwaf -x http://127.0.0.1:8080 https://example.com
whatwaf -x socks5://proxy.example.com:1080 https://example.com
  1. Test proxy connectivity:
curl -x http://127.0.0.1:8080 https://example.com
  1. Check if proxy requires authentication:
whatwaf -x http://username:[email protected]:3128 https://example.com

Proxy connection refused

Error message

! scan failed: invalid proxy 'http://127.0.0.1:8080': connection refused

Solutions

  1. Verify proxy is running: Check if Burp Suite or your proxy tool is active
  2. Verify port: Ensure the proxy is listening on the specified port 
# Check if port is listening
netstat -an | grep 8080
  1. Check firewall: Ensure no firewall is blocking the proxy port

SSL/TLS certificate errors

Self-signed certificate errors

Error message

! scan failed: request failed for https://self-signed.example.com: certificate verify failed

Current limitation

whatwaf currently does not expose an option to disable certificate verification. The underlying reqwest::Client validates certificates by default (lib.rs:83).

Workaround

Use a proxy that handles certificate validation: 
# Burp Suite with cert validation disabled
whatwaf -x http://127.0.0.1:8080 https://self-signed.example.com
In Burp Suite, go to Proxy → Options → TLS Pass Through to handle problematic certificates.

Redirect handling

Issue: WAF on redirect target

By default, whatwaf does not follow redirects (cli.rs:14-15): 
#[arg(short = 'L', long = "location", default_value_t = false)]
pub location: bool,
If the target redirects to a URL protected by a WAF, you won’t detect it unless you follow redirects.

Solution

Use the -L or --location flag: 
whatwaf -L https://example.com
Library usage: 
let config = ScanConfig {
    timeout: 10,
    follow_redirects: true, // Follow redirects
    proxy: None,
};
Internally, this configures the reqwest client (lib.rs:85-87): 
if !config.follow_redirects {
    builder = builder.redirect(reqwest::redirect::Policy::none());
}

Understanding ScanError types

whatwaf defines three error types (lib.rs:30-40):

1. InvalidProxy

ScanError::InvalidProxy {
    proxy: String,
    source: reqwest::Error,
}
When it occurs: During HTTP client initialization when the proxy URL is invalid or unreachable. Example: 
invalid proxy 'http://bad-proxy:8080': failed to lookup address information

2. ClientBuild

ScanError::ClientBuild(reqwest::Error)
When it occurs: When the HTTP client fails to build, typically due to invalid configuration. Example: 
failed to build HTTP client: <error details>

3. Request

ScanError::Request {
    url: String,
    source: reqwest::Error,
}
When it occurs: When an HTTP request fails (timeout, DNS failure, connection refused, etc.). Example: 
request failed for https://example.com?q=<script>alert(1)</script>: operation timed out

Debugging tips

1. Increase verbosity with a callback

When using the library, use the on_probe callback to see detailed probe results: 
use whatwaf::{scan_url, ScanConfig, ProbeResult};

let config = ScanConfig {
    timeout: 10,
    follow_redirects: false,
    proxy: None,
};

let result = scan_url(
    "https://example.com",
    config,
    Some(|r: &ProbeResult| {
        println!("Probe: {} -> {}", r.probe_name, r.url);
        println!("  Status: {}", r.status);
        if let Some(wafs) = &r.detected_wafs {
            println!("  WAFs: {}", wafs.join(", "));
            return false; // Stop on detection
        }
        true // Continue scanning
    }),
)?;
The callback is invoked for each probe (lib.rs:120-125) and receives full probe details.

2. Use Burp Suite to inspect traffic

Route traffic through Burp Suite to see exactly what’s being sent: 
whatwaf -T 30 -x http://127.0.0.1:8080 https://target.com
This lets you:
  • Inspect HTTP headers sent by whatwaf
  • View WAF response headers and bodies
  • Modify and replay requests
  • Bypass SSL/TLS certificate issues

3. Test with curl first

Before using whatwaf, test basic connectivity: 
# Test basic access
curl -v https://example.com

# Test with attack payload
curl -v "https://example.com?q=<script>alert(1)</script>"

# Test through proxy
curl -v -x http://127.0.0.1:8080 https://example.com

4. Check probe URLs

whatwaf uses these probe patterns (lib.rs:76-81): 
let probes = vec![
    ("plain request", None),
    ("xss", Some(("q", "<script>alert(1)</script>"))),
    ("sql injection", Some(("id", "' OR '1'=1'"))),
    ("lfi", Some(("file", "../../../../etc/passwd"))),
];
Test these patterns manually: 
curl "https://example.com"
curl "https://example.com?q=<script>alert(1)</script>"
curl "https://example.com?id=' OR '1'=1'"
curl "https://example.com?file=../../../../etc/passwd"

5. List supported detectors

Verify which WAFs whatwaf can detect: 
whatwaf --list
If you expect a specific WAF but it’s not in the list, whatwaf won’t detect it.

Getting help

If you’re still experiencing issues:
  1. Check the source code: whatwaf is open source - review lib.rs and detector implementations
  2. Test with different targets: Verify whatwaf works with known-protected sites
  3. File an issue: Report bugs with full error messages and reproduction steps

See also

Build docs developers (and LLMs) love

Get started for freeTalk to us