wafw00f Cheatsheet
Purpose: Identify and fingerprint Web Application Firewalls (WAFs) protecting a target web app.
Basic Usage
wafw00f <url> # Scan a single target
wafw00f https://example.com # HTTPS target
wafw00f example.com -v # Verbose output
wafw00f example.com -vv # Extra verbose (debug)
Common Flags
| Flag | Description |
|---|---|
-v / -vv |
Verbose / very verbose output |
-a |
Find ALL WAFs (don’t stop at first match) |
-r |
Disable HTTP redirect following |
-t <waf> |
Test only for a specific WAF |
-o <file> |
Write results to file |
-f <format> |
Output format: csv, json, text |
-i <file> |
Read targets from input file |
-p <proxy> |
Use proxy (e.g. http://127.0.0.1:8080) |
-T <n> |
Set request timeout (seconds) |
-H <file> |
Use custom headers from file |
-l |
List all WAFs it can detect |
--no-colors |
Disable ANSI colored output |
Listing & Targeted Detection
wafw00f -l # List supported WAFs
wafw00f example.com -t "Cloudflare (Cloudflare Inc.)"
wafw00f example.com -a # Detect every WAF in chain
Bulk Scanning
wafw00f -i targets.txt -o results.json -f json
wafw00f -i urls.txt -a -o waf-report.csv -f csv
Routing Through a Proxy (Burp / ZAP)
wafw00f https://target.tld -p http://127.0.0.1:8080
Custom Headers File Example
headers.txt:
User-Agent: Mozilla/5.0 (X11; Linux x86_64) Recon/1.0
X-Forwarded-For: 127.0.0.1
wafw00f example.com -H headers.txt -v
Interpreting Results
- “is behind ” — confident detection via signature.
- “seems to be behind a WAF or some sort of security solution” — generic block detected, no fingerprint match.
- “No WAF detected” — either no WAF, or WAF is in passive/learning mode.
Tips
- Run
-aif a CDN WAF (Cloudflare, Akamai) may be stacked over an origin WAF (ModSecurity, F5). - Combine with
niktoandwhatweb— WAF presence changes how aggressively you should scan. - WAF detected ≠ scan blocked. Throttle scans and consider source IP rotation.
- If results are inconsistent, retry with
-r(no redirects) — some WAFs only trigger on the final URL.