Documentation

Name: WAFtester
Author: WAFtester

WAFtester is a CLI for testing Web Application Firewalls. It scans, detects, bypasses, benchmarks, and reports — all from a single binary.

Quick Start

Three commands to your first scan:

# Install
npm install -g @waftester/cli

# Basic scan
waftester scan -u https://your-app.com

# Smart scan (recommended)
waftester scan -u https://your-app.com --smart

The --smart flag enables adaptive scanning: WAFtester detects the WAF vendor first, selects relevant payloads, and adjusts evasion techniques automatically.

For a full automated assessment:

waftester auto -u https://your-app.com -o report.html

This runs detection, scanning, bypass testing, and generates an HTML report in one command.

Full quick start guide →

Installation

npm (recommended)

npm install -g @waftester/cli

Go

go install github.com/waftester/waftester@latest

Homebrew

brew install waftester/tap/waftester

Docker

docker run --rm ghcr.io/waftester/waftester scan -u https://your-app.com

Binary Download

Download pre-built binaries for Linux, macOS, and Windows from GitHub Releases.

# Linux/macOS
curl -sSL https://github.com/waftester/waftester/releases/latest/download/waftester_linux_amd64.tar.gz | tar xz
sudo mv waftester /usr/local/bin/

Full installation guide →

Core Commands

WAFtester ships 33 commands organized by workflow stage.

Scanning & Detection

Command	Description
`scan`	Vulnerability scanning with 2,800+ payloads
`auto`	Full automated assessment (detect + scan + bypass + report)
`vendor`	WAF vendor detection (197 signatures)
`protocol`	Protocol detection (HTTP/1.1, HTTP/2, WebSocket)
`assess`	Enterprise security assessment with scoring
`discover`	Attack surface discovery and planning

Bypass & Evasion

Command	Description
`bypass`	WAF bypass discovery with 70+ evasion techniques
`mutate`	Mutation-based testing with encoding chains
`fuzz`	Content fuzzing with custom wordlists
`fp`	False positive testing

Protocol Testing

Command	Description
`graphql`	GraphQL security testing
`grpc`	gRPC security testing
`soap`	SOAP/WSDL security testing
`smuggle`	HTTP request smuggling
`race`	Race condition testing
`probe`	Protocol probing

Recon & Analysis

Command	Description
`crawl`	Web crawling and endpoint discovery
`analyze`	JavaScript analysis
`headless`	Headless browser testing
`openapi`	OpenAPI specification testing

Workflow & Utilities

Command	Description
`learn`	Learn WAF behavior patterns
`run`	Execute saved test workflows
`workflow`	Multi-step workflow orchestration
`benchmark`	WAF performance benchmarking
`mcp`	Start MCP server for AI integration
`version`	Print version information

Full command reference →

Output Formats

WAFtester supports 16 output formats for different workflows and integrations.

Format	Flag	Use Case
JSON	`-o out.json`	Automation, API consumption
HTML	`-o out.html`	Shareable reports with themes
Markdown	`-o out.md`	Documentation, issue trackers
CSV	`-o out.csv`	Spreadsheets, data analysis
XML	`-o out.xml`	Legacy tooling
PDF	`-o out.pdf`	Executive reports
SARIF	`-o out.sarif`	GitHub Code Scanning, VS Code
SonarQube	`-o out.sonarqube.json`	SonarQube import
GitLab SAST	`-o gl-sast.json`	GitLab security dashboard
JUnit	`-o out.junit.xml`	CI/CD test results
CycloneDX VEX	`-o out.cdx.json`	Supply chain security
GitHub Issues	`--github-issues`	Auto-create issues per finding
Azure DevOps	`--azure-workitems`	Azure Boards integration
Elasticsearch	`--elasticsearch`	SIEM indexing
OpenTelemetry	`--otel`	Distributed tracing
Console	(default)	Human-readable terminal output

Multiple outputs in one run:

waftester scan -u https://app.com -o report.html -o results.sarif -o data.json

Full output formats guide →

CI/CD Integration

GitHub Actions

name: WAF Security Test
on:
  push:
    branches: [main]
  pull_request:

jobs:
  waf-test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run WAFtester
        uses: waftester/waftester-action@v1
        with:
          target: ${{ secrets.WAF_TARGET_URL }}
          mode: scan
          args: --smart -o results.sarif

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

GitLab CI

waf-test:
  image: ghcr.io/waftester/waftester:latest
  stage: test
  script:
    - waftester scan -u $WAF_TARGET_URL --smart -o gl-sast.json
  artifacts:
    reports:
      sast: gl-sast.json

Azure DevOps

- task: CmdLine@2
  displayName: WAF Security Test
  inputs:
    script: |
      npx -y @waftester/cli scan -u $(WAF_TARGET_URL) --smart -o results.sarif
- task: PublishBuildArtifacts@1
  inputs:
    pathToPublish: results.sarif
    artifactName: waf-results

All CI/CD platforms →

MCP Server

WAFtester includes a built-in Model Context Protocol server. Connect it to AI assistants for natural language WAF testing.

Claude Desktop

{
  "mcpServers": {
    "waftester": {
      "command": "waftester",
      "args": ["mcp", "--transport", "stdio"]
    }
  }
}

VS Code (GitHub Copilot)

{
  "mcp": {
    "servers": {
      "waftester": {
        "command": "waftester",
        "args": ["mcp", "--transport", "stdio"]
      }
    }
  }
}

n8n (SSE transport)

# Start the MCP server with SSE transport
waftester mcp --transport sse --port 8080

Then configure n8n’s MCP node to connect to http://localhost:8080/sse.

The MCP server exposes all WAFtester commands as tools. Ask your AI assistant:

“Scan example.com for SQL injection bypasses”
“What WAF is protecting this URL?”
“Run a full assessment and generate a SARIF report”

Full MCP setup guide →

Advanced Options

Flag	Default	Description
`--smart`	off	Adaptive scanning (auto-detects WAF, selects payloads)
`--threads`	10	Concurrent request threads
`--delay`	0	Delay between requests (ms)
`--timeout`	10s	HTTP request timeout
`--proxy`	-	HTTP/SOCKS proxy URL
`--headers`	-	Custom HTTP headers (key:value)
`--tampers`	-	Comma-separated tamper scripts
`--payloads`	built-in	Custom payload file path
`--categories`	all	Filter by attack category (sqli, xss, …)
`--enrich`	off	Enrich payloads with Nuclei templates
`--paranoia`	1	Paranoia level (1-4, higher = more tests)
`--http2`	auto	Force HTTP/2

Combine flags for targeted testing:

# SQLi-only scan through a proxy with evasion
waftester scan -u https://app.com \
  --categories sqli \
  --tampers urlenc,htmlenc,unicodec \
  --proxy http://127.0.0.1:8080 \
  --threads 5 \
  --delay 100

Full tamper scripts reference →

Troubleshooting

Connection refused / timeout

# Verify target is reachable
curl -I https://your-app.com

# Use --debug for detailed request/response logging
waftester scan -u https://your-app.com --debug

Too many false positives

# Run false positive testing to verify findings
waftester fp -u https://your-app.com

# Use --smart mode for better detection accuracy
waftester scan -u https://your-app.com --smart

Rate limiting / 429 errors

# Add delay between requests
waftester scan -u https://your-app.com --delay 200 --threads 2

WAF not detected

# Try with different detection methods
waftester vendor -u https://your-app.com --debug

# Force scan even without detection
waftester scan -u https://your-app.com --no-vendor-check