___________ __________ _____ ________ ________ .____ ___________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

wafw00f Cheatsheet

← Back to cheatsheets

← Home

WAFW00F (Web Application Firewall Detection Tool) identifies and fingerprints Web Application Firewalls (WAF) protecting a website. It can detect over 150 WAF products.

Basic Usage

  • wafw00f <url> - Detect WAF on target
  • wafw00f https://example.com - Scan single target

Options

  • -a, --findall - Find all WAFs (don't stop at first match)
  • -i, --input <file> - Read targets from file
  • -p, --proxy <proxy> - Use HTTP proxy
  • -r, --random - Randomize User-Agent
  • -t, --test <waf> - Test for specific WAF
  • -o, --output <file> - Output to file
  • -f, --format <format> - Output format (csv, json, txt)
  • -v, --verbose - Verbose output
  • -l, --list - List all detectable WAFs
  • -H, --headers <file> - Custom headers from file

Common Examples

Basic Detection

wafw00f https://example.com

Detect WAF on target.

Find All WAFs

wafw00f -a https://example.com

Don't stop at first detection.

Multiple Targets

wafw00f -i targets.txt

Scan multiple targets from file.

Test Specific WAF

wafw00f -t Cloudflare https://example.com

Check for specific WAF only.

JSON Output

wafw00f -f json -o results.json https://example.com

Save results as JSON.

CSV Output

wafw00f -f csv -o results.csv https://example.com

Save results as CSV.

Verbose Mode

wafw00f -v https://example.com

Show detailed detection process.

Through Proxy

wafw00f -p http://127.0.0.1:8080 https://example.com

Route through Burp Suite.

List All Detectable WAFs

wafw00f -l

Show all WAFs the tool can detect.

Common WAFs Detected

  • Cloudflare
  • Akamai
  • AWS WAF
  • ModSecurity
  • F5 BIG-IP
  • Imperva/Incapsula
  • Sucuri
  • Barracuda
  • Fortinet FortiWeb
  • Citrix NetScaler
  • DenyAll
  • Radware AppWall

Detection Methods

WAFW00F uses several techniques:

  • Analyzing response headers
  • Analyzing response cookies
  • Sending malicious payloads and checking response
  • Checking for known WAF error messages
  • Timing analysis

Output Example

                ______
               /      \
              (  W00f! )
               \  ____/
               ,,    __            404 Conditions
           |`-.__   / /                _
           /"  _/  /_/   _       _    / |
          (  o ) o)   / /  /  | /    _  )
           \_   _/ `"" |  /  /  |  / /
           ("`-"_.\_  /  /  / | /\_/
            (____)   \__/ |  \_\

The site https://example.com is behind Cloudflare (Cloudflare Inc.) WAF.

Tips

  • Use -a to detect multiple WAFs (some sites use layered protection)
  • Knowing the WAF helps choose bypass techniques
  • Some WAFs are harder to detect than others
  • False positives can occur - verify findings
  • Run early in recon to know what you're dealing with
  • Check both HTTP and HTTPS endpoints
  • Use JSON output for automation
  • WAF presence doesn't mean site is secure
  • Always get authorization before scanning

← Back to cheatsheets

← Home