Skip to main content

whatwaf

What is whatwaf?

whatwaf is a Rust-based CLI tool and library that detects web application firewalls (WAFs) by sending crafted HTTP probe requests to a target site and analyzing responses for indicators of WAF blocking behavior. It identifies common commercial and open-source firewalls by matching characteristic response headers, patterns, and body content against known WAF fingerprints.

Installation

Get started with whatwaf via Cargo or as a library dependency

Quickstart

Run your first WAF detection scan in seconds

How it works

Learn about the probe strategy and detection methodology

CLI reference

View all available command-line options and flags

Key features

whatwaf sends four different probe requests to test WAF behavior:
  • Plain request: Baseline HTTP request with no payloads
  • XSS probe: Cross-site scripting payload (<script>alert(1)</script>)
  • SQL injection probe: SQL injection payload (' OR '1'='1')
  • LFI probe: Local file inclusion payload (../../../../etc/passwd)
Detects major commercial and open-source WAFs including:
  • Cloudflare, AWS Cloudfront, Azure Front Door
  • Akamai Kona Site Defender, Imperva Incapsula
  • Barracuda, Fortinet FortiWeb, Check Point
  • And many more regional and specialized WAFs
Built in Rust for performance with:
  • Configurable request timeouts
  • Optional redirect following
  • Proxy support for tunneling requests
  • Minimal dependencies
Flexible integration options:
  • Standalone CLI tool for security testing
  • Rust library with simple API for embedding in your applications
  • Callback support for real-time probe result handling

Example output

Here’s what a typical WAF detection looks like: 
whatwaf https://example.com

* scanning https://example.com
* plain request probe -> https://example.com
	- no detection (status=200)
* xss probe -> https://example.com/?q=<script>alert(1)</script>
	+ waf=(cloudflare) status=403
~ detected waf: Cloudflare
In this example:
  1. The plain request returned HTTP 200 with no WAF detection
  2. The XSS probe triggered a 403 Forbidden response
  3. The response matched Cloudflare’s fingerprint (blocked message + headers)
  4. Detection stopped after finding a match

Use cases

Security reconnaissance: Identify WAF presence before penetration testing

Infrastructure mapping: Document security layers protecting web applications

Automation: Integrate WAF detection into security scanning pipelines

Research: Study WAF behavior patterns and evasion techniques
whatwaf is intended for authorized security testing only. Always obtain proper authorization before scanning any website you don’t own.

Next steps

Get started

Install whatwaf and run your first scan

Build docs developers (and LLMs) love

Get started for freeTalk to us