aeondave/wafw00f
offensive-tools/recon/wafw00f/SKILL.md
Auth/lab ref: WAF detection tool. Fingerprints Web Application Firewalls by analyzing HTTP responses to crafted requests.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill wafw00fInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 8, 2026, 4:01 AM213.5s1 file scanned
SKILL.md
- name:
- wafw00f
- description:
- Auth/lab ref: WAF detection tool. Fingerprints Web Application Firewalls by analyzing HTTP responses to crafted requests.
- license:
- MIT
- compatibility:
- Linux/macOS/Windows; Python 3; targets any HTTP/HTTPS service.
- author:
- AeonDave
- version:
- 1.0
- category:
- recon
- language:
- python
wafw00f
WAF fingerprinting via crafted HTTP probes. Use before content discovery, injection testing, or active scanning to know what protection is in place.
Quick start
# Detect WAF on single target
wafw00f https://target.com
# Try all fingerprints (not just first match)
wafw00f -a https://target.com
# Multiple targets from file
wafw00f -i targets.txt
# Output formats
wafw00f https://target.com -o json -f output.json
wafw00f https://target.com -o csv -f output.csv
# Verbose (show probe details)
wafw00f -v https://target.com
Output interpretation
[+] The site https://target.com is behind Cloudflare (Cloudflare Inc.) WAF.
[+] The site https://target.com is behind ModSecurity (SpiderLabs/Trustwave)
[-] No WAF detected by the generic detection
No detection does not mean no WAF — some WAFs are passive (log-only) or use custom signatures not in wafw00f's database.
Integration in workflow
Run after initial HTTP fingerprinting and before:
- Content discovery / directory brute-force
- Active injection testing (SQLi, XSS)
- Nuclei scanning
Result informs bypass strategy — see offensive-techniques/web-exploit-technique/references/waf-bypass.md.
Related Skills
aeondave/vibe-audit-technique
development
VerifiedTrustedCommunity
White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).
4SKILL.mdUpdated Jun 12, 2026
aeondave/source-review-technique
development
VerifiedTrustedCommunity
Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.
4SKILL.mdUpdated Jun 12, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 12, 2026
aeondave/container-technique
devops
VerifiedTrustedCommunity
Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.
4SKILL.mdUpdated Jun 12, 2026