wafw00f Cheat Sheet
Identifies Web Application Firewalls in front of targets to tune bypass and testing strategy.
Overview
wafw00f sends benign and malicious-looking requests to infer which WAF/CDN protects a site (Cloudflare, Akamai, ModSecurity, etc.). Knowing the WAF guides payload encoding, rate limits, and whether to test origin directly.
Authorized testing only. WAF detection still sends probe traffic to the target—ensure scope includes the WAF-protected hostname.
Install
sudo apt install -y wafw00for
pip install wafw00fwafw00f --versionEssential commands
Single URL
wafw00f https://target.example.comFind all WAFs (no early exit)
wafw00f -a https://target.example.comList targets from file
wafw00f -i urls.txt -o waf_results.txtCommon workflows
Post-httpx WAF mapping —
httpx -l subs.txt -silent | while read u; do wafw00f "$u" 2>/dev/null; done | tee waf.logThrough proxy (observe blocked requests in Burp) —
wafw00f https://target.example.com -p http://127.0.0.1:8080JSON for pipelines —
wafw00f https://target.example.com -f json -o waf.jsonFlags reference
-a | Test all WAF detections |
|---|---|
-i | Input file of URLs |
-o | Output file |
-f | Format: json, csv, txt |
-p | Proxy URL |
-H | Custom header |
-T | Request timeout |
-v | Verbose |
Tips
- A negative result does not mean no WAF—confirm with response anomalies and origin testing (if in scope).
- Pair with manual header analysis (Server, cf-ray, X-CDN).
- Document WAF vendor in report; it explains blocked payloads during testing.
- Re-run after DNS or infrastructure changes mid-engagement.