Web Application Firewall (WAF)


Many web applications stand behind a WAF (Web Application Firewall) that aim the protecting app from different types of attacks (XSS, SQLi, etc.) by monitoring and filtering requests. Identifying if a WAF is used, and if so what type it is, can help bypass known filters.


This can be done with tools like WAFW00F (Python), WhatWaf (Python) or nmap or sometimes by manually looking at cookies and HTTP response headers.

wafw00f $URL
whatwaf -u $URL
nmap -p $PORT --script=http-waf-fingerprint,http-waf-detect $URL

Last updated