Overview
The WAF Detector identifies whether a target website is protected by a Web Application Firewall (WAF) and attempts to determine which WAF product is in use. It can detect 98 different WAF products and attempts to find the origin IP address to bypass the WAF. The WAF Detector is a discovery tool: it identifies protection mechanisms but does not test for vulnerabilities. It does not add data to your Attack Surface or generate findings.Parameters
| Parameter | Description |
|---|---|
| Target | The URL of the website to scan. Must start with http:// or https://. |
How it works
The tool uses a multi-stage approach to detect WAF presence:Heuristic attack
Sends a request containing a combined payload that simulates multiple attack types (XSS, SQLi, directory traversal, RCE, XXE). This is designed to trigger WAF responses.
Response analysis
Analyzes the response using pattern matching against 98 known WAF signatures. Checks HTTP headers, response body, and status codes.
Generic detection
If no specific WAF is identified, performs additional tests to detect WAF behavior:
- Removes User-Agent header and compares responses
- Sends individual attack vectors (XSS, SQLi, directory traversal)
- Checks for Server header changes after attacks
Detection methods
The tool analyzes multiple signals to identify WAF presence:| Method | What it detects |
|---|---|
| Response patterns | WAF-specific error pages, headers, and body content |
| HTTP headers | WAF signatures in Server, X-headers, and cookie headers |
| Status code changes | Different responses between normal and attack requests |
| Server header changes | Changes in the Server header after attack attempts |
| Connection behavior | Dropped connections or timeouts after attacks |
Supported WAFs
The tool can identify 98 WAF products, including Cloudflare, AWS WAF, Akamai Kona, Imperva Incapsula, F5 BIG-IP ASM, Fortinet FortiWeb, Barracuda, Sucuri, ModSecurity, and Wordfence.Detection is based on identYwaf signatures.
Origin IP discovery
When a WAF is detected, the tool attempts to find the origin IP address, which may be accessible directly without WAF protection:| Method | Description |
|---|---|
| DNS records | Extracts IP addresses from NS, MX, TXT, SOA, A, and AAAA records |
| Favicon hash search | Computes the favicon’s MMH3 hash and searches Shodan for matching servers |
| Shodan hostname search | Searches Shodan for the target hostname |
| SSL certificate fingerprint | Finds servers with the same SSL certificate SHA1 fingerprint |
- Requesting the page with the original Host header
- Comparing the response’s HTML structure similarity (must be ≥90%)
- Running WAF detection again to confirm bypass
Follow-up actions
Based on detection results:| Result | Recommended action |
|---|---|
| WAF detected with origin IP | Consider scanning the origin IP directly with Website Scanner |
| WAF detected, no origin IP | Adjust scan settings to avoid rate limiting; use slower scan speeds |
| No WAF detected | Proceed with Website Scanner at normal speed |
| CDN detected | Run Website Recon for additional technology fingerprinting |
| HTTPS endpoint | Run SSL/TLS Scanner for certificate analysis (useful for origin IP discovery) |