WAFtester Command Reference

The definitive reference for every WAFtester CLI command, flag, environment variable, and output option. Each command section includes its aliases, a description of what it does and when to use it, a complete flag table with types and defaults, and practical examples.

For usage examples and real-world workflows, see the Examples Guide. For installation, see the Installation Guide. For a quick task-oriented reference, see the Cheat Sheet.

Document Version: 2.9.6 Last Updated: February 2026

Reading order: This is the flag reference. For real-world examples, see EXAMPLES.md. For a quick copy-paste reference, see the Cheat Sheet. For a beginner guide, see waftester.com/docs.

Table of Contents

• Quick Start
• Which Command Should I Use?
• How Commands Relate
• Usage
• Global Options
• Environment Variables
• Glossary
• Core Scanning
  • auto — Autonomous full-spectrum assessment
  • scan — Targeted vulnerability scanning
  • run — Test plan execution
• Bypass and Evasion
  • bypass — WAF bypass discovery
  • mutate — Payload mutation engine
  • tampers — Tamper technique management
• Assessment
  • assess — WAF assessment and benchmarking
  • fp — False positive testing
  • vendor — WAF vendor detection
• Discovery and Recon
  • probe — HTTP probing and fingerprinting
  • crawl — Web crawling with JS support
  • discover — Endpoint discovery
  • learn — Test plan generation
  • analyze — JavaScript analysis
  • headless — Headless browser testing
• Protocol Testing
  • protocol — Protocol detection
  • template — Nuclei template scanning
  • smuggle — HTTP request smuggling
  • race — Race condition testing
  • openapi — OpenAPI/Swagger testing
  • grpc — gRPC service testing
  • soap — SOAP/WSDL service testing
• Utilities
  • fuzz — Directory and parameter fuzzing
  • workflow — YAML workflow orchestration
  • cloud — Cloud infrastructure discovery
  • cicd — CI/CD pipeline generation
  • plugin — Plugin management
  • mcp — Model Context Protocol server
  • validate — Payload and spec validation
  • validate-templates — Template validation
  • report — Enterprise HTML report generation
  • update — Payload updater
• Understanding Matchers and Filters
• Recommended Flag Combinations
• Performance and Footprint
• Shared Flag Groups
  • Output Flags
  • Enterprise Integration Flags
• Attack Categories Reference
• Exit Codes
• Flag Naming Notes
• See Also

Quick Start

New to WAFtester? Start here.

# Install
npm install -g @waftester/cli

# Full automated audit (recommended for first use)
waftester auto -u https://target.com

# Quick scan for specific vulnerabilities
waftester scan -u https://target.com -types sqli,xss --smart

See the Installation Guide for all installation methods (Go, Homebrew, npm, Scoop, AUR, Docker, binary).

Which Command Should I Use?

How Commands Relate

Commands are not isolated — they feed into each other. This diagram shows the most common data flows:

                       +-----------+
                       |  vendor   |  Identify WAF
                       +-----+-----+
                             |  informs tamper selection
                             v
+----------+  endpoints  +-------+  test plan  +------+
| discover |------------>| learn |------------>| run  |
+----------+             +-------+             +------+
      |                                           |
      | feeds                                     | results
      v                                           v
+----------+                                +---------+
|  crawl   |                                | report  |
+----------+                                +---------+

+----------+  does all of the above in one pass
|   auto   |--> vendor -> discover -> scan -> assess -> report
+----------+

+----------+  bypass payloads   +----------+
|  bypass  |<------------------>| tampers  |
+----------+  tamper transforms +----------+
      |
      | variants
      v
+----------+
|  mutate  |  Expand payload space
+----------+

Shortcut: If you don’t know where to start, use auto. It runs the entire pipeline.

Usage

waftester <command> [flags]

When no command is specified, run is used as the default. Commands accept flags with a single dash (-flag) or double dash (--flag); both forms are equivalent. Boolean flags can be negated with --flag=false. Multi-value flags (e.g., -header) can be repeated.

Global Options

These options are available regardless of which command is invoked.

Environment Variables

Environment variables override flag defaults. They are useful for CI/CD or Docker environments where flags would be repetitive. All variables use the WAF_TESTER_ prefix (except the legacy WAFTESTER_INTEGRATION).

Glossary

Key terms used throughout this reference:

Commands

auto

Aliases: superpower, sp

The most powerful command in WAFtester. Runs a multi-phase autonomous assessment that chains together endpoint discovery, leaky path detection, parameter mining, WAF vendor fingerprinting, smart tamper selection, 2,800+ payload testing with adaptive rate limiting, false-positive assessment, and browser-based validation into a single invocation. An AI “brain” coordinates phases, learns from responses, and adjusts strategy in real time.

Results are written to a workspace directory containing JSON, Markdown, and HTML reports. Use --resume to continue an interrupted scan from the last checkpoint.

When to use: You want a single command that does everything. Ideal for first-time assessments, CI/CD pipelines, and hands-off security audits.

When NOT to use: On production systems without --smart-mode=stealth and a conservative rate limit. The default mode sends 2,800+ payloads at 200 req/s, which can trigger WAF bans, alert SOC teams, or degrade application performance. Use scan with a narrow -types filter when you only need to test specific categories.

Target

Specify one or more URLs to scan. At least one target is required.

Core

Controls concurrency, rate limiting, timeouts, and the workspace output. These settings directly affect scan speed and stealth.

Smart Mode

Smart mode adapts scanning behavior based on detected WAF responses. It analyzes blocking patterns and adjusts payloads, timing, and evasion techniques to maximize coverage while minimizing detection.

Tamper Engine

Tamper techniques transform payloads to evade WAF pattern matching. Techniques include encoding variants, comment injection, case manipulation, whitespace substitution, and protocol-level tricks. Use --tamper-auto to let WAFtester pick the best tampers for the detected WAF.

Phases

The auto command runs multiple phases sequentially. These flags control which phases execute. Disable phases you don’t need to speed up the scan.

Brain

The brain is an AI coordination layer that observes scan results in real time, identifies patterns (e.g., which payloads get blocked vs. pass), and adjusts the scan strategy. It recommends focus areas, suggests tamper switches, and detects anomalous WAF behavior.

Resume

The auto command writes checkpoints after each phase. If a scan is interrupted (Ctrl+C, timeout, crash), use --resume to pick up from the last completed phase without re-running earlier work.

Scan Control

Fine-grained control over what gets tested and how aggressively.

API Spec

Drive the scan from an API specification file. WAFtester parses endpoints, parameters, schemas, and authentication requirements from the spec and generates targeted test payloads. Supports OpenAPI 3.x, Swagger 2.0, Postman Collections, HAR files, AsyncAPI, GraphQL schemas, and gRPC reflection.

Plus the full set of output flags and enterprise integration flags.

Examples

# Full autonomous assessment
waftester auto -u https://target.com

# With smart tamper selection
waftester auto -u https://target.com --smart --tamper-auto

# Custom tampers + increased rate
waftester auto -u https://target.com --tamper-dir=./my-tampers -rl 500

# Resume interrupted scan
waftester auto -u https://target.com --resume

# API spec-driven assessment
waftester auto -u https://api.example.com --spec openapi.yaml

scan

Targeted vulnerability scanning across 50+ attack categories including SQL injection, XSS, SSTI, SSRF, LFI, RFI, command injection, LDAP injection, NoSQL injection, prototype pollution, CRLF injection, XXE, and more. Each category uses curated payloads with WAF-specific evasion variants.

Unlike auto, the scan command gives you direct control over which attack types to run, how results are filtered, and how output is formatted. It does not run discovery or assessment phases.

When to use: You know what you want to test and need precise control. Ideal for targeted scans, regression testing, and integration into custom scripts.

When NOT to use: Against targets you do not own or have written authorization to test. Even with -types limiting the scope, every payload is a real attack attempt that will appear in server and WAF logs.

Target

Specify one or more URLs to scan. Targets can also be read from a file or piped via stdin.

Core

Configure what gets scanned, how fast, and where results go.

Smart Mode

Tamper Engine

Rate Limiting

Controls request throughput to avoid triggering rate-based WAF bans or overwhelming the target. Use -delay and -jitter for randomized spacing that mimics organic traffic.

Request

Customize HTTP request properties. Use -proxy to route through Burp Suite or ZAP for inspection. Headers and cookies are applied to every request.

OAuth

OAuth 2.0 authentication for scanning protected endpoints. WAFtester handles the token exchange automatically.

Filtering

Narrow scan scope or results. Match flags select only results meeting criteria. Filter flags exclude results meeting criteria. Combine both for precise targeting.

Output Format

Control how results are displayed. For file exports (SARIF, JUnit, etc.), see output flags.

Report

Metadata for generated reports. These values appear in report headers and footers.

Scan Control

Limit scan scope, resume interrupted scans, or preview the test plan without executing.

Debug

Diagnostic flags for troubleshooting scan behavior. CPU and memory profiling write pprof files for go tool pprof analysis.

API Spec

Plus output flags and enterprise integration flags.

Examples

# Scan for SQL injection and XSS
waftester scan -u https://target.com -types sqli,xss

# Full scan with smart mode
waftester scan -u https://target.com --smart --tamper-auto

# Custom tampers from a directory
waftester scan -u https://target.com --tamper-dir=./my-tampers

# With proxy and custom headers
waftester scan -u https://target.com -x http://127.0.0.1:8080 -H "Authorization: Bearer token"

# Multiple targets from file
waftester scan -l targets.txt -types all --json -o results.json

Related: auto (hands-off automated scanning), bypass (find WAF bypasses), assess (WAF effectiveness benchmarking). For API spec scanning, use the --spec flag or see the API Spec Scanning Guide.

run

The low-level test runner and the default command when no subcommand is provided. Executes test plans generated by learn or runs ad-hoc scans with full control over mutation engines, matchers, and filters.

The run command is heavily inspired by ffuf and nuclei workflows. It supports response matching (by status code, size, word count, line count, regex), response filtering, auto-calibration, mutations (encoding, chaining, evasion), and proxy replay for seamless integration with Burp Suite or ZAP.

When to use: You have a test plan from discover/learn, want mutation control, or need matcher/filter logic similar to ffuf.

Target

Core

Mutation

The mutation engine transforms payloads through encoders (base64, URL, HTML entity, hex, etc.), injection locations (query, body, header, path, fragment), and evasion techniques (case randomization, comment insertion, null bytes). Chain mode applies multiple transforms sequentially, exponentially expanding the payload space.

Matchers

Matchers select responses that meet criteria. Only matched responses appear in output. Use -auto-calibrate to automatically determine baseline response characteristics and filter noise.

Filters

Filters exclude responses that match criteria. The inverse of matchers. Combine matchers and filters for precise result selection.

Output

Network

Examples

# Execute a test plan
waftester run --plan testplan.json -u https://target.com

# Quick scan with mutation
waftester run -u https://target.com -m quick --chain

# Match specific status codes
waftester run -u https://target.com -mc 200,403 -fc 404

# Store responses for analysis
waftester run -u https://target.com -sr -srd ./responses

Related: discover → learn → run (three-step workflow). For simpler scanning, use scan instead.

bypass

Dedicated WAF bypass finder. Sends the full payload library against a target and identifies which payloads bypass the WAF (i.e., reach the application without being blocked). Results are ranked by confidence and categorized by attack type.

With --smart mode, the engine adapts in real time: it detects blocking patterns, switches tamper techniques, and focuses on the most promising bypass vectors.

When to use: You know a WAF is present and want to find what gets through. Pair with tampers --discover for maximum coverage.

When NOT to use: Without explicit authorization. Bypass payloads reach the application behind the WAF. If a payload succeeds, it has executed against the real application, not a sandbox.

Related: mutate (payload mutation engine), tampers (tamper technique management), vendor (identify the WAF first)

Plus enterprise integration flags.

Examples

# Find bypass payloads for injection attacks
waftester bypass -u https://target.com

# Smart bypass with auto-calibration
waftester bypass -u https://target.com --smart -ac

# Category-specific bypass
waftester bypass -u https://target.com --category xss

mutate

Payload mutation engine. Takes a set of payloads and generates variants by applying encoders (base64, URL, HTML entity, double-URL, hex, unicode), evasion techniques (case randomization, whitespace tricks, comment injection, null byte insertion), and injection location permutations (query string, POST body, headers, URL path, fragment).

Chain mode applies multiple transforms sequentially, producing an exponential payload space useful for deep WAF rule-set testing.

When to use: You want to expand a payload set to test WAF rule coverage, or need to generate evasion variants of known bypasses.

Plus enterprise integration flags.

Examples

# Quick mutation scan
waftester mutate -u https://target.com --mode quick

# Full mutation with chaining
waftester mutate -u https://target.com --mode full --chain

# Mutate a single payload
waftester mutate --payload "<script>alert(1)</script>" --encoders base64,url

fuzz

High-performance directory, file, and parameter fuzzer. Place the FUZZ keyword in the URL (or request body, headers) to mark the injection point. WAFtester substitutes each wordlist entry, sends the request, and applies matchers/filters to identify interesting responses.

Supports recursive directory discovery, file extension brute-forcing, multiple fuzzing modes (sniper, pitchfork, cluster bomb), and response extraction via regex or presets.

When to use: Directory discovery, parameter brute-forcing, virtual host enumeration, or any scenario where you need to iterate a wordlist against a URL pattern.

When NOT to use: With large wordlists against rate-limited or shared-hosting targets without throttling (-rate). A 100k-entry wordlist at full speed can trigger IP bans and affect other tenants on the same server.

Target

The FUZZ keyword marks where wordlist entries are substituted. Place it anywhere in the URL, path, query string, headers, or POST body.

Wordlist

Wordlist source and transformation options. Apply prefixes, suffixes, case changes, or shuffling before fuzzing.

Request

HTTP request configuration for fuzzing. Set methods, headers, cookies, extensions, rate limits, and threading.

Matchers

Select responses that match criteria. Only matched responses appear in results. Use auto-calibrate (-ac) to automatically determine baseline characteristics and exclude noise.

Filters

Exclude responses matching criteria. The inverse of matchers.

Output

Control result display format and verbosity.

Advanced

Recursive fuzzing, response storage, extraction, proxy, and debug options.

Plus enterprise integration flags.

Examples

# Directory fuzzing
waftester fuzz -u https://target.com/FUZZ -w wordlist.txt

# Parameter fuzzing with extensions
waftester fuzz -u https://target.com/FUZZ -w words.txt -e php,asp,html

# Recursive directory discovery
waftester fuzz -u https://target.com/FUZZ -w dirs.txt --recursion -rd 3

# Filter 404s and match by size
waftester fuzz -u https://target.com/FUZZ -w words.txt -fc 404 -ms 1234

probe

Multi-protocol HTTP probing and fingerprinting engine. For each target, probe performs TLS certificate analysis, JARM fingerprinting, technology detection (frameworks, CMS, languages), WAF identification, favicon hashing, CDN detection, HTTP/2 and WebSocket support checks, and DNS resolution.

Designed for processing large target lists efficiently. Pipe the output of subdomain enumeration tools directly into probe to quickly fingerprint an entire attack surface.

When to use: Asset inventory, technology mapping, WAF detection at scale, or pre-scan reconnaissance.

Related: vendor (dedicated WAF detection), discover (endpoint discovery)

Target

Probe Modules

Enable or disable individual probe modules. All are enabled by default. Disable modules you don’t need to speed up large scans.

Display Fields

Select which fields appear in output. By default, only the URL and status are shown. Enable additional fields to see server headers, technologies, IP addresses, CDN info, and more.

Output Format

Request

Network

Matchers

Filters

Extract

Storage

Output Control

Fine-tune what appears in probe results. Enable body previews, full response capture, or chain tracking for redirect analysis.

Advanced

Power-user flags for DNS resolution, TLS analysis, VHost enumeration, and protocol-level inspection.

Plus enterprise integration flags.

Examples

# Probe targets from a file
waftester probe -l urls.txt -json

# Show technology and server info
waftester probe -u https://target.com -td -server -title

# Filter by status code and extract FQDNs
waftester probe -l urls.txt -mc 200 -efqdn

crawl

Recursive web crawler with content discovery, JavaScript analysis, and data extraction. Crawls a site to a configurable depth, following links and optionally rendering JavaScript to discover dynamically loaded content. Extracts forms, API endpoints, parameters, email addresses, HTML comments, and embedded secrets.

With JS rendering enabled, WAFtester launches a headless browser to execute client-side JavaScript, catching single-page app routes and AJAX endpoints that static crawlers miss.

When to use: Pre-scan reconnaissance, attack surface mapping, or feeding discovered endpoints into scan or auto.

Examples

# Crawl with depth 5
waftester crawl -u https://target.com --depth 5

# Crawl with JS rendering
waftester crawl -u https://target.com --js --endpoints --params

# Extract secrets and emails
waftester crawl -u https://target.com --secrets --emails --json

discover

Automated service discovery and endpoint enumeration. Probes a target to identify API endpoints, query parameters, form fields, and service characteristics. The output feeds directly into learn to generate test plans.

Discovery combines passive analysis (HTML/JS parsing, link extraction) with active probing (common path checks, parameter detection) to build a target map.

When to use: Before learn + run workflows, or when you need a structured endpoint inventory for manual review.

Plus enterprise integration flags.

Examples

# Discover endpoints
waftester discover -u https://target.com -o endpoints.json

# Deep discovery
waftester discover -u https://target.com --depth 5 --verbose

Related: learn (generate test plan from discovery results) → run (execute the test plan)

learn

Test plan generator. Converts discovery results into executable test configurations for the run command. Selects attack types, payloads, and injection points based on discovered endpoints and parameters.

The generated test plan is a JSON file containing target URLs, parameter maps, payload selections, and matcher/filter rules. Edit the plan manually or feed it directly to run.

When to use: After discover, to create a reusable, auditable test plan. Useful for approval workflows where scans must be reviewed before execution.

Plus enterprise integration flags.

Examples

# Generate test plan from discovery
waftester learn -u https://target.com -o testplan.json

# Use custom payloads
waftester learn -u https://target.com --custom-payloads my-payloads.json

Related: discover (find endpoints first) → run (execute the generated test plan)

analyze

Static JavaScript analysis engine. Parses JavaScript files (local or remote) to extract URLs, API endpoints, hardcoded secrets (API keys, tokens, credentials), and DOM XSS sinks (innerHTML, document.write, eval). Works on minified and bundled code.

Contrast with crawl --js: the analyze command performs deep static analysis of individual JavaScript files, while crawl renders pages and discovers links dynamically.

When to use: Bug bounty recon, auditing client-side JavaScript for secrets and DOM sinks, or extracting hidden API endpoints from single-page app bundles.

Plus enterprise integration flags.

Examples

# Analyze JavaScript from a target
waftester analyze -u https://target.com/app.js

# Analyze a local file
waftester analyze --file bundle.js --json

# Extract only endpoints and secrets
waftester analyze -u https://target.com --urls=false --sinks=false

headless

Headless Chromium browser for interactive testing. Loads pages in a real browser environment with full JavaScript execution, captures screenshots, runs custom JS snippets, and performs DOM event crawling (clicking buttons, following dynamic links, interacting with forms).

DOM event crawling triggers JavaScript event handlers to discover application routes and functionality hidden behind user interactions. This finds endpoints that no static crawler or API spec can reveal.

When to use: Testing single-page applications, capturing visual evidence, executing custom JS payloads, or discovering functionality behind click handlers.

Plus enterprise integration flags.

Examples

# Basic headless browsing
waftester headless -u https://target.com --screenshot

# With JavaScript execution
waftester headless -u https://target.com --js "document.title"

# DOM event crawling
waftester headless -u https://target.com --event-crawl --max-clicks 100

# Multiple targets
waftester headless -l urls.txt --extract-urls --json

assess

Aliases: assessment, benchmark

Quantitative WAF effectiveness measurement. Sends a curated mix of attack payloads and benign requests to compute detection accuracy (true positive rate, false positive rate), F1 score, and Matthews Correlation Coefficient (MCC). These metrics give an objective comparison between WAF products, rule sets, or configuration changes.

The assessment includes optional false-positive testing using a corpus of legitimate requests that frequently trigger WAF false positives (e.g., SQL-like usernames, legitimate HTML content).

When to use: WAF product evaluation, before/after rule change comparison, compliance evidence, or vendor benchmarking.

Examples

# Full assessment with false positive testing
waftester assess -u https://target.com -fp

# Assessment with custom corpus
waftester assess -u https://target.com --custom-corpus ./my-corpus.txt

# Category-specific assessment
waftester assess -u https://target.com --categories sqli,xss

fp

Aliases: falsepositive, false-positive

Dedicated false positive testing. Sends a corpus of legitimate HTTP requests through the WAF and measures how many are incorrectly blocked. The built-in corpus covers common false-positive triggers: SQL-like usernames, HTML in user content, URLs containing path traversal-like patterns, and Unicode edge cases.

Paranoia levels (1-4) correspond to ModSecurity CRS paranoia levels, controlling how aggressive the test corpus is.

When to use: After WAF deployment or rule changes, to verify that legitimate traffic is not being blocked. Pairs with assess for a complete accuracy picture.

Plus enterprise integration flags.

Examples

# False positive test
waftester fp -u https://target.com

# High paranoia level
waftester fp -u https://target.com -pl 4

# Local mode with custom corpus
waftester fp -u https://target.com --local --corpus custom

vendor

Aliases: waf-detect, detect-waf

WAF vendor detection and fingerprinting. Sends crafted requests and analyzes responses (headers, cookies, error pages, status codes, body content) to identify the WAF product from a database of 197 signatures. Detection covers cloud WAFs (Cloudflare, AWS WAF, Akamai, Azure Front Door, Imperva), CDN-integrated WAFs, and self-hosted solutions (ModSecurity, NAXSI).

Results inform tamper selection and evasion strategy. The auto command runs vendor detection automatically; use this command standalone when you only need identification.

When to use: Quick WAF identification before manual testing, or feeding results into tampers --for-waf.

Plus enterprise integration flags.

Examples

# Detect WAF vendor
waftester vendor -u https://target.com

# Auto-tune detection
waftester vendor -u https://target.com --autotune

# List supported WAFs
waftester vendor --list

protocol

Alias: proto

HTTP protocol support detection and analysis. Tests a target for HTTP/1.0, HTTP/1.1, HTTP/2 (h2, h2c), and HTTP/3 (QUIC) support, TLS versions, supported cipher suites, and protocol-level behaviors (keep-alive, pipelining, content negotiation). Useful for identifying protocol-level attack surfaces like HTTP/2 smuggling or downgrade attacks.

When to use: Pre-scan protocol reconnaissance, or before running smuggle to understand the target’s protocol stack.

Plus enterprise integration flags.

Examples

# Detect protocols
waftester protocol -u https://target.com

tampers

Alias: tamper

Tamper technique management. Lists all available payload transformation techniques, recommends WAF-specific bypasses, tests transformations interactively, and discovers effective tampers automatically against a live target.

The discovery mode (--discover) sends tampered payloads to a target, measures which transformations bypass the WAF, confirms results across multiple rounds to eliminate false positives, and ranks the effective techniques.

When to use: Reviewing available tampers before a scan, getting WAF-specific recommendations, or discovering which transformations actually bypass a target WAF.

Plus enterprise integration flags.

Examples

# List all tampers
waftester tampers --list

# WAF-specific recommendations
waftester tampers --for-waf=cloudflare

# Test a payload with a tamper
waftester tampers --test "<script>alert(1)</script>" --tamper space2comment

# Show evasion matrix
waftester tampers --matrix

# Auto-discover bypass tampers
waftester tampers --discover --target https://target.com --top-n 10

template

Aliases: templates, nuclei

Nuclei-compatible template scanner. Executes YAML-based vulnerability detection templates against targets. Templates define request patterns, matchers, and extractors for specific CVEs, misconfigurations, or technology fingerprints.

WAFtester ships with built-in templates and can load custom templates from a directory. Templates can be filtered by tags (e.g., cve, sqli, misconfig) and severity level.

When to use: CVE-specific scanning, running community detection templates, or building reproducible vulnerability checks as YAML files.

Examples

# Scan with specific template
waftester template -u https://target.com -t templates/sqli-auth-bypass.yaml

# Scan with tag filter
waftester template -u https://target.com --tags cve,sqli --severity critical,high

# Validate templates
waftester template --validate -t ./templates/

Subcommands

The template command also supports positional subcommands for browsing bundled templates:

# List template categories
waftester template list

# List templates in a category
waftester template list policies

# Show a specific template
waftester template show policies/strict
waftester template show nuclei/http/waf-bypass/sqli-basic

smuggle

HTTP request smuggling detection and exploitation testing. Tests for CL.TE, TE.CL, TE.TE, and H2.CL smuggling variants by sending ambiguous requests and analyzing how the target’s frontend/backend infrastructure interprets them.

Safe mode (default) uses non-destructive timing-based probes that do not inject smuggled requests that could affect other users. Disable safe mode only in controlled environments.

When to use: Testing reverse proxy and CDN configurations for request smuggling vulnerabilities. Run protocol first to understand the target’s HTTP stack.

When NOT to use: On shared infrastructure (CDNs, shared load balancers) without coordination. Smuggled requests can affect other users behind the same proxy. Keep safe mode enabled (the default) unless you are in an isolated test environment.

Plus enterprise integration flags.

Examples

# Safe smuggling test
waftester smuggle -u https://target.com

# Full testing with longer delay
waftester smuggle -u https://target.com --safe=false --delay 2000

race

Race condition testing for TOCTOU (time-of-check-time-of-use), double-submit, and limit-bypass vulnerabilities. Sends concurrent identical requests to detect business logic flaws where the application fails to handle simultaneous access correctly, such as processing a coupon code twice, exceeding account balance limits, or bypassing rate limiters.

When to use: Testing checkout flows, coupon redemption, vote/like counters, account balance transfers, or any endpoint where concurrent access could produce unintended results.

When NOT to use: Against live production checkout, payment, or financial endpoints without a test account. Race condition exploits can cause real financial transactions: double charges, duplicate orders, or balance manipulation. Always test in staging first.

Plus enterprise integration flags.

Examples

# Double-submit race test
waftester race -u https://target.com/checkout -c 100

# Custom body and method
waftester race -u https://target.com/api/transfer --method POST --body '{"amount":100}'

workflow

YAML-based workflow orchestration. Define multi-step security testing pipelines as YAML files, chaining discovery, scanning, assessment, and reporting steps with conditional logic and variable substitution. Steps can depend on previous step outputs, enabling dynamic pipelines.

When to use: Repeatable multi-stage security audits, custom pipeline automation, or when auto mode does not fit your specific workflow.

Plus enterprise integration flags.

Examples

# Execute a workflow
waftester workflow -f recon.yaml

# With variables
waftester workflow -f pipeline.yaml --var target=https://target.com --var depth=5

# Dry run
waftester workflow -f pipeline.yaml --dry-run

openapi

Aliases: openapi-fuzz, swagger

API specification-driven security testing. Parses OpenAPI 3.x or Swagger 2.0 specs to enumerate endpoints, extract parameter schemas, and generate targeted attack payloads that respect the API contract (correct content types, required fields, valid enum values) while injecting malicious data into individual parameters.

This approach tests WAF rules in the context of the actual API surface, catching parameter-specific bypasses and schema-aware injection vectors that generic scanning would miss.

When to use: Testing REST APIs that have an OpenAPI/Swagger spec. For GraphQL, gRPC, or SOAP, use the dedicated commands instead.

Examples

# List endpoints from spec
waftester openapi --spec openapi.yaml --list

# Fuzz all endpoints
waftester openapi --spec openapi.yaml --fuzz -u https://api.example.com

# Auth-protected API
waftester openapi --spec openapi.yaml --fuzz --bearer "$TOKEN" -u https://api.example.com

grpc

Alias: grpc-test

gRPC service security testing. Uses gRPC server reflection to discover services and methods, then tests them with injection payloads, malformed protobuf messages, and type-confusion inputs. Supports listing services, calling individual methods, and automated fuzzing across all discovered endpoints.

When to use: Testing gRPC APIs (microservices, internal APIs). The target must support gRPC reflection, or you can provide the proto definitions.

Examples

# List gRPC services
waftester grpc -u localhost:50051 --list

# Call a method
waftester grpc -u localhost:50051 --call UserService.GetUser -d '{"id": 1}'

# Fuzz gRPC services
waftester grpc -u localhost:50051 --fuzz --category injection

soap

Alias: wsdl

SOAP/WSDL service security testing. Parses WSDL definitions to discover operations, generates SOAP envelopes for each operation, and tests for XXE (XML External Entity), XML injection, SSRF (via SOAP attributes), and command injection. Supports custom SOAPAction headers, namespace overrides, and request body templates.

When to use: Testing legacy SOAP/XML web services. For REST APIs, use scan or openapi instead.

Examples

# List SOAP operations
waftester soap --wsdl https://api.example.com?wsdl --list

# Fuzz a specific operation
waftester soap --wsdl https://api.example.com?wsdl --operation GetUser --fuzz

# Custom SOAP request
waftester soap -u https://api.example.com --action GetUser -f request.xml

cloud

Alias: cloud-discover

Cloud infrastructure discovery and enumeration. Identifies exposed cloud resources (S3 buckets, Azure Blob containers, GCP Storage buckets), misconfigured permissions, and publicly accessible services across AWS, Azure, and GCP. Combines passive techniques (certificate transparency logs, DNS enumeration) with active brute-forcing using wordlists.

When to use: Attack surface discovery for organizations using cloud infrastructure. Run early in an engagement to find shadow IT and misconfigured storage.

Examples

# Discover cloud resources
waftester cloud -d example.com

# AWS-only with wordlist
waftester cloud -d example.com --providers aws -w wordlist.txt

# Passive-only recon
waftester cloud -d example.com --passive --json

cicd

Aliases: ci-cd, pipeline

CI/CD pipeline generator. Produces ready-to-use pipeline configuration files for GitHub Actions, GitLab CI, Azure Pipelines, Jenkins, and other CI platforms. Generated pipelines run WAFtester scans on push/PR/schedule, upload SARIF results, and optionally fail builds on high-severity findings.

When to use: Setting up automated security testing in your CI/CD pipeline. The generated files are fully functional and can be committed directly.

Examples

# Generate GitHub Actions workflow
waftester cicd -p github -u https://target.com -o .github/workflows/waf-test.yml

# GitLab with schedule
waftester cicd -p gitlab --on-schedule --cron "0 2 * * 1"

# List supported platforms
waftester cicd --list

plugin

Alias: plugins

Plugin management for extending WAFtester with custom Go plugins (.so shared libraries). Plugins can implement custom scanners, output formatters, or payload generators that integrate with the WAFtester execution pipeline.

When to use: Extending WAFtester with organization-specific scanning logic, custom output integrations, or proprietary payload generators.

Examples

# List plugins
waftester plugin --list

# Run a plugin
waftester plugin --run custom-scanner -u https://target.com

# Load and run with config
waftester plugin --load ./custom.so --run custom-scanner --config plugin.yaml

mcp

Alias: mcp-server

Model Context Protocol (MCP) server for AI agent integration. Exposes WAFtester’s scanning, analysis, and reporting capabilities as MCP tools and resources that AI assistants (Claude, GPT, Copilot) can invoke programmatically. Supports stdio transport (for IDE integration) and HTTP transport (for remote agents).

When to use: Connecting WAFtester to AI development environments (VS Code, Claude Desktop, Cursor) or building AI-powered security workflows.

Examples

# Stdio mode (default, for IDE/Claude Desktop)
waftester mcp

# HTTP mode for remote access
waftester mcp --http :8080

# With tamper scripts for bypass discovery
waftester mcp --tamper-dir ./my-tampers

# Custom payload directory
WAF_TESTER_PAYLOAD_DIR=/opt/payloads waftester mcp

validate

Payload and API specification validator. Checks payload JSON files for schema compliance, duplicate IDs, missing fields, and encoding issues. Validates API specifications (OpenAPI, Swagger) for structural correctness, reachable servers, and security definition completeness.

When to use: Before committing payload changes, after updating API specs, or in CI pipelines to catch spec/payload regressions early.

Plus enterprise integration flags.

Examples

# Validate payloads
waftester validate --payloads ./payloads

# Validate an API spec
waftester validate --spec openapi.yaml

# Strict validation
waftester validate --payloads ./payloads --fail-fast --verbose

validate-templates

Nuclei template validator. Checks YAML template files for syntax errors, missing required fields (id, info, requests), invalid matchers/extractors, and best-practice violations. Strict mode enforces additional rules (unique IDs, proper severity tags, description length).

When to use: After writing or modifying Nuclei templates, or in CI to prevent broken templates from being merged.

Plus enterprise integration flags.

Examples

# Validate templates
waftester validate-templates --templates ./templates/nuclei

# Strict mode
waftester validate-templates --strict --verbose

report

Aliases: html-report, enterprise-report

Enterprise HTML report generator. Reads results from an auto scan workspace directory and produces a self-contained HTML report with executive summary, finding details, severity distribution charts, WAF effectiveness metrics, and remediation guidance. The report is designed for stakeholder consumption.

When to use: After an auto scan, when you need a presentation-ready report for management, clients, or compliance evidence.

Plus enterprise integration flags.

Examples

# Generate report from workspace
waftester report --workspace ./waftester-workspace-abc123 --output report.html

# With custom target name
waftester report --workspace ./results --output report.html --target "Production API"

update

Payload update manager. Synchronizes local payload files with upstream sources (OWASP, community repositories). Shows a diff of changes, supports dry-run preview, and handles version bumps for the payload manifest. Destructive changes (payload removals, ID changes) require explicit opt-in.

When to use: Keeping payloads current with the latest attack techniques and WAF bypass discoveries.

Plus enterprise integration flags.

Examples

# Check for updates
waftester update --dry-run

# Apply updates
waftester update --auto-apply

# Skip destructive changes
waftester update --skip-destructive

Shared Flag Groups

These flag groups are shared across multiple commands. Rather than duplicating them in every command section, they are documented here once.

Output Flags

File export formats for persisting scan results. Most security scanners and CI/CD platforms consume one or more of these formats. SARIF is the standard for GitHub Code Scanning, JUnit is used by most CI runners for test reporting, and CycloneDX/SonarQube integrate with supply chain and code quality tools.

Available on auto, scan, run, probe, fuzz, and bypass commands (subset varies by command).

Content Control

Control the verbosity of exported data. Omit raw request/response bodies for smaller files, or restrict output to bypass-only findings for focused analysis.

Stats

Live scan progress statistics. Displays request rates, finding counts, and estimated time remaining during long-running scans.

Enterprise Integration Flags

Integration flags for connecting WAFtester findings to external systems: ticketing (Jira, GitHub Issues, Azure DevOps), communication (Slack, Teams, PagerDuty), observability (OpenTelemetry, Elasticsearch, Prometheus), and CI/CD platforms (GitHub Actions summaries, policy gates).

Available on most commands. Findings are sent to configured integrations in real time as they are discovered.

Webhooks and CI

Send findings to webhooks, Slack/Teams channels, or CI-specific output formats.

Jira

Automatically create Jira tickets for findings. Each finding becomes a Jira issue with severity-mapped priority, attack details, and reproduction steps.

GitHub Issues

Create GitHub issues for findings. Works with GitHub.com and GitHub Enterprise Server.

Azure DevOps

Create Azure DevOps work items for findings. Supports custom work item types, area paths, and iteration paths.

OpenTelemetry

Export scan telemetry (traces and metrics) to an OpenTelemetry collector for integration with Jaeger, Grafana, Datadog, or other observability platforms.