wafw00f (WAFW00F) is a web application firewall (WAF) detection and fingerprinting tool. It sends HTTP requests to a target website and analyzes the responses to identify which WAF product is protecting the application. Essential for reconnaissance during penetration tests and security assessments.
# Install from PyPI
pip install wafw00f
# Verify installation
wafw00f -h
wafw00f --version
# Clone repository
git clone https://github.com/EnableSecurity/wafw00f.git
cd wafw00f
# Install dependencies
pip install -r requirements.txt
# Run directly
python wafw00f.py -h
# Already included in Kali
apt-get install wafw00f
# Update
apt-get update && apt-get upgrade wafw00f
# Build Docker image
docker build -t wafw00f .
# Run in container
docker run --rm wafw00f https://target.com
docker run --rm wafw00f -a https://target.com
# Detect WAF on single URL
wafw00f https://example.com
# Sample output:
# [*] Sending requests to https://example.com
# [+] WAF detected: CloudFlare
# [!] Number of requests: 1
# Multiple URLs on command line
wafw00f https://site1.com https://site2.com https://site3.com
# From file with URLs
wafw00f -i targets.txt
# targets.txt format:
# https://example1.com
# https://example2.com
# https://example3.com
# Verbose output (show all fingerprints tested)
wafw00f -v https://target.com
# Very verbose (more details on matching)
wafw00f -vv https://target.com
# Show all WAFs identified (not just first match)
wafw00f -a https://target.com
# JSON output for scripting
wafw00f -o json https://target.com > results.json
# CSV output for spreadsheets
wafw00f -o csv https://target.com > results.csv
# TXT output (default)
wafw00f -o txt https://target.com
# List all detectable WAFs
wafw00f -l
# Show WAF details
wafw00f -l | head -20
# Sample output includes:
# - CloudFlare
# - AWS WAF
# - Akamai
# - Imperva SecureSphere
# - ModSecurity
# - F5 BIG-IP ASM
# - Barracuda WAF
# - Fortinet FortiWAF
# - Citrix NetScaler
# - Apache ModSecurity
# CloudFlare detection
wafw00f https://cloudflare-protected.com
# AWS WAF detection
wafw00f https://aws-protected.com
# Akamai detection
wafw00f https://akamai-protected.com
# ModSecurity detection
wafw00f https://modsecurity.example.com
# Imperva detection
wafw00f https://imperva-protected.com
# Add custom User-Agent
wafw00f -u "Mozilla/5.0 Custom" https://target.com
# Add HTTP headers via environment
export CUSTOM_HEADERS="Authorization: Bearer token"
wafw00f https://target.com
# Set connection timeout (seconds)
wafw00f --timeout 10 https://target.com
# Set timeout to 5 seconds for slow targets
wafw00f --timeout 5 https://slow-target.com
# Route through HTTP proxy
wafw00f -p http://localhost:8080 https://target.com
# Route through SOCKS proxy
wafw00f -p socks5://localhost:1080 https://target.com
# Burp Suite integration
wafw00f -p http://127.0.0.1:8080 https://target.com
# Ignore SSL certificate verification (self-signed)
wafw00f --ignore-ssl-errors https://target.com
# Specify certificate file
wafw00f --cert /path/to/cert.pem https://target.com
| WAF Product | Detection Method | Variants |
|---|
| CloudFlare | HTTP headers, response patterns | Free, Pro, Business |
| AWS WAF | X-Amzn-RequestId, response codes | ALB, CloudFront, API Gateway |
| Akamai | HTTP headers, response fingerprints | Kona Site Defender |
| Imperva | X-Forwarded-For variations | SecureSphere, Cloud WAF |
| ModSecurity | Server header, error pages | Open source rule sets |
| F5 BIG-IP | ASM signature detection | LTM, GTM variants |
| Barracuda | Response headers, cookie patterns | Various versions |
| Fortinet | Fortinet header analysis | FortiWAF, FortiDDoS |
| Citrix | NetScaler detection | AppEx, Gateway variants |
| nginx | ModSecurity on nginx | Open source WAF |
# Use case sensitivity in requests
wafw00f -u "Mozilla/5.0" https://target.com
# Request path traversal detection
wafw00f https://target.com
# Test rate-limiting WAF response
wafw00f --timeout 15 https://target.com
# 1. Identify WAF
wafw00f https://target.com
# 2. Get more details
wafw00f -v https://target.com
# 3. Check all potential WAFs
wafw00f -a https://target.com
# 4. Export results for analysis
wafw00f -o json https://target.com > waf_info.json
# Use with Nmap for service detection
nmap -sV --script http-waf-detection target.com
# Chain with other recon tools
wafw00f https://target.com && \
nmap -p 80,443 --script http-headers target.com
# Parse output for further testing
wafw00f -o json https://target.com | jq '.waf_detected'
# Extract detected WAF
wafw00f -o json https://target.com | jq '.waf_detected'
# Check if WAF found
wafw00f -o json https://target.com | jq '.is_waf_detected'
# Parse multiple results
for url in $(cat targets.txt); do
wafw00f -o json "$url" | jq '{url: .target, waf: .waf_detected}'
done
# Scan file with output
for target in $(cat targets.txt); do
echo "Scanning: $target"
wafw00f "$target" -o txt >> results.txt
done
# Process CSV results
wafw00f -i targets.txt -o csv > waf_results.csv
cat waf_results.csv | sort | uniq -c | sort -rn
#!/bin/bash
# scan_wafs.sh - Scan targets and log results
TARGETS_FILE="targets.txt"
OUTPUT_DIR="waf_scans"
mkdir -p "$OUTPUT_DIR"
while read target; do
echo "[+] Scanning $target..."
FILENAME=$(echo "$target" | sed 's|https://||g' | sed 's|/|_|g')
wafw00f -o json "$target" > "$OUTPUT_DIR/$FILENAME.json"
wafw00f "$target" >> "$OUTPUT_DIR/summary.txt"
done < "$TARGETS_FILE"
echo "[*] Scan complete. Results in $OUTPUT_DIR"
#!/usr/bin/env python3
import subprocess
import json
import sys
def detect_waf(url):
"""Run wafw00f and return results as dict"""
try:
result = subprocess.run(
['wafw00f', '-o', 'json', url],
capture_output=True,
text=True,
timeout=30
)
if result.returncode == 0:
return json.loads(result.stdout)
else:
print(f"Error scanning {url}: {result.stderr}")
return None
except Exception as e:
print(f"Exception: {e}")
return None
# Scan multiple targets
targets = ['https://site1.com', 'https://site2.com']
for target in targets:
data = detect_waf(target)
if data:
print(f"{target}: {data.get('waf_detected', 'None')}")
# Scan multiple targets in parallel with GNU Parallel
cat targets.txt | parallel wafw00f -o json {} > results.json
# Or with xargs
cat targets.txt | xargs -I {} -P 5 wafw00f -o json {} > results.json
# Limit parallel jobs to 5
cat targets.txt | xargs -I {} -P 5 wafw00f {} >> results.txt
| Issue | Solution |
|---|
| No WAF detected | Target may have no WAF, try with -a flag |
| SSL certificate error | Use --ignore-ssl-errors flag |
| Timeout errors | Increase timeout with --timeout 30 |
| Rate limited | Add delays between requests or use proxy |
| DNS resolution | Check URL format, verify DNS resolves |
# Enable verbose debugging
wafw00f -vv https://target.com
# Show HTTP request/response details
wafw00f -v https://target.com 2>&1 | head -50
# Check target accessibility first
curl -I https://target.com
# Reduce timeout for fast responses
wafw00f --timeout 5 https://target.com
# Scan only essentials (not all WAF signatures)
wafw00f https://target.com
# Parallel scanning for batch
cat targets.txt | parallel -j 10 wafw00f {}
# Always get authorization before scanning
# WAF detection is part of legitimate security assessment
# Document WAF findings in reports
# Responsible disclosure:
# 1. Identify WAF protecting application
# 2. Note WAF version/configuration if detectable
# 3. Include in findings for remediation planning
# As a defender, know that tools like wafw00f can:
# - Fingerprint your WAF through response analysis
# - Enumerate supported WAF rules
# - Identify WAF bypass opportunities
# Mitigation strategies:
# - Minimize distinctive WAF headers
# - Normalize error responses
# - Implement consistent response codes
# - Hide WAF signatures from responses
