> ## Documentation Index
> Fetch the complete documentation index at: https://pentest-tools.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# WAF Detector

> Identify web application firewalls protecting target websites

## Overview

The WAF Detector identifies whether a target website is protected by a Web Application Firewall (WAF) and attempts to determine which WAF product is in use. It can detect **98 different WAF products** and attempts to find the origin IP address to bypass the WAF.

The WAF Detector is a **discovery tool**: it identifies protection mechanisms but does not test for vulnerabilities. It does not add data to your [Attack Surface](/capabilities/attack-surface) or generate [findings](/core/findings/findings).

## Parameters

| Parameter | Description                                                              |
| --------- | ------------------------------------------------------------------------ |
| Target    | The URL of the website to scan. Must start with `http://` or `https://`. |

## How it works

The tool uses a multi-stage approach to detect WAF presence:

<Steps>
  <Step title="Heuristic attack">
    Sends a request containing a combined payload that simulates multiple attack types (XSS, SQLi, directory traversal, RCE, XXE). This is designed to trigger WAF responses.
  </Step>

  <Step title="Response analysis">
    Analyzes the response using pattern matching against 98 known WAF signatures. Checks HTTP headers, response body, and status codes.
  </Step>

  <Step title="Generic detection">
    If no specific WAF is identified, performs additional tests to detect WAF behavior:

    * Removes User-Agent header and compares responses
    * Sends individual attack vectors (XSS, SQLi, directory traversal)
    * Checks for Server header changes after attacks
  </Step>

  <Step title="Origin IP search">
    If a WAF is detected, attempts to find the origin IP address that bypasses the WAF protection.
  </Step>
</Steps>

### Detection methods

The tool analyzes multiple signals to identify WAF presence:

| Method                    | What it detects                                         |
| ------------------------- | ------------------------------------------------------- |
| **Response patterns**     | WAF-specific error pages, headers, and body content     |
| **HTTP headers**          | WAF signatures in Server, X-headers, and cookie headers |
| **Status code changes**   | Different responses between normal and attack requests  |
| **Server header changes** | Changes in the Server header after attack attempts      |
| **Connection behavior**   | Dropped connections or timeouts after attacks           |

### Supported WAFs

The tool can identify 98 WAF products, including Cloudflare, AWS WAF, Akamai Kona, Imperva Incapsula, F5 BIG-IP ASM, Fortinet FortiWeb, Barracuda, Sucuri, ModSecurity, and Wordfence.

<Note>
  Detection is based on [identYwaf](https://github.com/stamparm/identYwaf) signatures.
</Note>

### Origin IP discovery

When a WAF is detected, the tool attempts to find the origin IP address, which may be accessible directly without WAF protection:

| Method                          | Description                                                               |
| ------------------------------- | ------------------------------------------------------------------------- |
| **DNS records**                 | Extracts IP addresses from NS, MX, TXT, SOA, A, and AAAA records          |
| **Favicon hash search**         | Computes the favicon's MMH3 hash and searches Shodan for matching servers |
| **Shodan hostname search**      | Searches Shodan for the target hostname                                   |
| **SSL certificate fingerprint** | Finds servers with the same SSL certificate SHA1 fingerprint              |

Each discovered IP is validated by:

1. Requesting the page with the original Host header
2. Comparing the response's HTML structure similarity (must be ≥90%)
3. Running WAF detection again to confirm bypass

<Tip>
  When a WAF is detected, consider using the discovered origin IP (if found) to scan the application directly. However, always confirm you have authorization to test the origin server.
</Tip>

## Follow-up actions

Based on detection results:

| Result                      | Recommended action                                                                                      |
| --------------------------- | ------------------------------------------------------------------------------------------------------- |
| WAF detected with origin IP | Consider scanning the origin IP directly with [Website Scanner](/tools/website-scanner)                 |
| WAF detected, no origin IP  | Adjust scan settings to avoid rate limiting; use slower scan speeds                                     |
| No WAF detected             | Proceed with [Website Scanner](/tools/website-scanner) at normal speed                                  |
| CDN detected                | Run [Website Recon](/tools/website-recon) for additional technology fingerprinting                      |
| HTTPS endpoint              | Run [SSL/TLS Scanner](/tools/ssl-tls-scanner) for certificate analysis (useful for origin IP discovery) |
