Find WAF Bypasses Before Your Client's Attackers Do
Automated evasion discovery, tamper chain generation, and quantitative bypass reporting — built for pentest engagements.
Penetration testers spend hours manually testing WAF rules with Burp Suite or curl. WAFtester automates the entire workflow: detect the WAF vendor, test thousands of payloads with WAF-specific tampers, discover evasion chains, and export results in formats your client's security team can immediately use. Below is the typical four-phase workflow.
The Problem
Manual Bypass Testing Is Slow
Trying tamper combinations by hand in Burp or curl burns hours per engagement. Most combos yield nothing.
Generic Scanners Miss WAF Context
Nuclei and sqlmap don't know which WAF they're targeting. They blast payloads without adapting to the WAF vendor.
Clients Want Numbers
"We found some bypasses" isn't enough. Clients need detection rates, F1 scores, and quantitative evidence for their security reviews.
The Pentest Workflow
A typical WAF assessment with WAFtester follows four phases. Each produces standalone deliverables.
Recon: Identify the WAF
Detect the WAF vendor, CDN layer, and recommended evasion strategies in seconds.
$ waf-tester vendor -u https://target.com
[VENDOR] Primary: Cloudflare (98% confidence)
[VENDOR] CDN: Fastly detected
[RECOMMEND] tampers: charunicodeencode, randomcase
[RECOMMEND] categories: xss, sqli, ssti
Scan: Test 2,800+ Payloads
Run the full payload library against the target with WAF-aware tamper selection.
$ waf-tester scan -u https://target.com --smart --threads 20
[INFO] Testing 2,847 payloads across 12 categories...
████████████████████████████████ 100% | 2847/2847
[RESULTS] Detection rate: 95.8%
[RESULTS] Bypasses: 119/2847 (4.2%)
Bypass: Discover Evasion Chains
Automatically combine 90+ tampers with mutators to find working bypass chains.
$ waf-tester bypass -u https://target.com --tamper-auto
[BYPASS] Testing 90+ tamper x 49 mutator combos...
[FOUND] charunicodeencode + xss/event-handler
[FOUND] randomcase + sqli/union-based
[FOUND] doubleurlencode + ssti/jinja2
→ 23 unique bypass chains discovered
Report: Generate Client Deliverables
Export findings in multiple formats. HTML for the client, JSON for your toolkit, SARIF for their code scanning pipeline.
$ waf-tester scan -u https://target.com --smart -o report.html -o findings.json -o results.sarif
→ report.html (Client-facing report)
→ findings.json (Machine-readable data)
→ results.sarif (GitHub Code Scanning)
Built for Pentest Engagements
Auto Tamper Selection
--smart mode detects the WAF vendor and automatically selects the most effective tampers. No guesswork required.
70+ Evasion Techniques
URL encoding, Unicode, hex, double encoding, case randomization, HTML entities, and dozens more — all combinable into chains.
Proxy Integration
Route traffic through Burp Suite or any HTTP/SOCKS proxy with --proxy. Inspect every request WAFtester sends.
Quantitative Results
F1 Score, MCC, Detection Rate, False Positive Rate — real metrics your client can track over time, not just "we found bypasses."
Custom Payloads
Drop your own JSON payload files or use community payloads. Target specific attack categories with --categories sqli,xss.
Rate Limiting Controls
Fine-tune request rate with --delay and --threads to avoid triggering IP bans during an engagement.
Quick Reference
| Task | Command |
|---|---|
| Identify WAF vendor | waf-tester vendor -u <target> |
| Smart scan | waf-tester scan -u <target> --smart |
| SQLi-only through Burp | waf-tester scan -u <target> --categories sqli --proxy http://127.0.0.1:8080 |
| Auto bypass discovery | waf-tester bypass -u <target> --tamper-auto |
| Full automated assessment | waf-tester auto -u <target> -o report.html |
| Benchmark WAF accuracy | waftester benchmark -u <target> |
See the full documentation for all commands and advanced options, or grab commands from the cheat sheet. For scoring and compliance reporting, see Compliance & Benchmarking. To automate testing with AI, try AI & MCP Agents.
Ready to Try It?
One command to install. One command to scan. Real results in seconds.