whatwaf sends a series of crafted HTTP probe requests to a target site and analyzes the responses for indicators of WAF blocking behavior.
It detects common commercial and open-source firewalls by matching characteristic response headers, patterns, and bodies.
whatwaf performs multiple probes, such as SQL injection, XSS, and local file inclusion (LFI) payloads, and compares the target's HTTP responses against known WAF fingerprints.
Detection is based on:
- HTTP status codes
- Response headers containing WAF vendor signatures
- Response bodies containing diagnostic strings or challenge pages
- Regular-expression matching for vendor-specific phrases
Install via Cargo:
cargo install whatwafwhatwaf https://example.com[*] checking https://example.com
[*] running 4 probes
[*] plain request probe: payload=None
[-] no detection
[*] xss probe: payload='<script>alert(1)</script>'
[+] waf=cloudflare status=403
[~] the site https://example.com is behind Cloudflare waf| WAF | Vendor | Country of Origin |
|---|---|---|
| ArvanCloud | Abr Arvan | 🇮🇷 |
| Astra | Astra Security | 🇮🇳 |
| ASPA | Aspa Engineering Co. | 🇮🇷 |
| Barracuda | Barracuda Networks, Inc. | 🇺🇸 |
| Cloudflare WAF | Cloudflare, Inc. | 🇺🇸 |
| Cloudfront WAF | Amazon Web Services | 🇺🇸 |
| Datadome | Datadome | 🇫🇷 |
| DotDefender | Applicure Technologies | 🇮🇱 |
| FortiWeb | Fortinet, Inc. | 🇺🇸 |
| Front Door (Azure) WAF | Microsoft Corporation | 🇺🇸 |
| Incapsula | Imperva, Inc. | 🇺🇸 |
| Janusec Application Gateway | JANUSEC | 🇺🇳* |
| Kona Site Defender | Akamai Technologies | 🇺🇸 |
| NexusGuard | NexusGuard, Inc. | 🇸🇬 |
| SafeLine | Chaitin Tech | 🇨🇳 |
| Sucuri | Sucuri, Inc | 🇺🇸 |
| Wordfence | Defiant Inc. | 🇺🇸 |
| Zenedge | Oracle Corporation | 🇺🇸 |
*Country of Origin is not clearly documented.