Skip to main content

Basic scan

Scan a website with default settings: 
whatwaf https://example.com
Output: 
* scanning https://example.com
* base probe -> https://example.com
	- no detection (status=200)
* sqli probe -> https://example.com?id=1' OR '1'='1
	+ waf=(cloudflare) status=403
~ detected waf: Cloudflare
In this example, the base probe returned a normal 200 response, but the SQL injection probe triggered Cloudflare’s WAF, which returned a 403 Forbidden status.

Scan with custom timeout

For slow servers or networks, increase the timeout to 30 seconds: 
whatwaf --timeout 30 https://slow-server.com
Output: 
* scanning https://slow-server.com
* base probe -> https://slow-server.com
	- no detection (status=200)
* sqli probe -> https://slow-server.com?id=1' OR '1'='1
	- no detection (status=200)
* xss probe -> https://slow-server.com?q=<script>alert(1)</script>
	- no detection (status=200)
~ no waf detected
The longer timeout allows whatwaf to wait for responses from slow servers without timing out prematurely.

Scan through proxy

Route traffic through Burp Suite or another proxy for debugging: 
whatwaf --proxy http://127.0.0.1:8080 https://example.com
Output: 
* scanning https://example.com
* base probe -> https://example.com
	- no detection (status=200)
* sqli probe -> https://example.com?id=1' OR '1'='1
	+ waf=(aws waf) status=403
~ detected waf: AWS WAF
All HTTP requests will be visible in your proxy tool, allowing you to inspect headers, payloads, and responses in detail.

Scan with redirects enabled

Follow HTTP redirects to scan the final destination: 
whatwaf --location https://example.com
Output: 
* scanning https://example.com
* base probe -> https://example.com
	- no detection (status=200)
* sqli probe -> https://example.com?id=1' OR '1'='1
	+ waf=(akamai) status=403
~ detected waf: Akamai
This is useful when:
  • The URL redirects from HTTP to HTTPS
  • The domain redirects to a www subdomain
  • The path redirects to a different location

List all detectors

View all WAF signatures that whatwaf can recognize: 
whatwaf --list
Output: 
~ whatwaf can currently recognize:
	Cloudflare
	Akamai
	AWS WAF
	Imperva
	F5 BIG-IP
	Barracuda
	FortiWeb
	ModSecurity
	Sucuri
	Wordfence
This command does not require a URL and exits immediately after displaying the list.

Combined options

Combine multiple options for advanced scanning: 
whatwaf --timeout 30 --location --proxy http://127.0.0.1:8080 https://example.com
Output: 
* scanning https://example.com
* base probe -> https://example.com
	- no detection (status=200)
* sqli probe -> https://example.com?id=1' OR '1'='1
	+ waf=(imperva) status=403
~ detected waf: Imperva
This command:
  • Uses a 30-second timeout per request
  • Follows HTTP redirects
  • Routes traffic through a local proxy on port 8080

Multiple WAF detection

When multiple WAFs are detected (edge case with CDN stacking): 
whatwaf https://multi-waf.com
Output: 
* scanning https://multi-waf.com
* base probe -> https://multi-waf.com
	- no detection (status=200)
* sqli probe -> https://multi-waf.com?id=1' OR '1'='1
	+ waf=(cloudflare, sucuri) status=403
~ detected wafs (2):
	- cloudflare
	- sucuri
Some sites use multiple layers of WAF protection. whatwaf will detect and report all recognized signatures.

Build docs developers (and LLMs) love

Get started for freeTalk to us