WAF security testing with 2800+ payloads — CLI + MCP server in one image
8.7K
WAFtester is a WAF security testing platform with 2800+ attack payloads, 198 WAF vendor signatures, and a built-in MCP server for AI agent integration (Claude, VS Code Copilot, Cursor).
One image, two modes. Starts as an MCP server by default. Override the command to use it as a CLI.
docker run -d -p 8080:8080 qandil/waftester
The MCP server starts on port 8080 with streamable HTTP transport. Connect any MCP-compatible client to http://localhost:8080/mcp.
Add to claude_desktop_config.json (macOS: ~/Library/Application Support/Claude/, Windows: %APPDATA%\Claude\):
{
"mcpServers": {
"waf-tester": {
"url": "http://localhost:8080/mcp"
}
}
}
Add to .vscode/mcp.json in your workspace:
{
"servers": {
"waf-tester": {
"url": "http://localhost:8080/mcp"
}
}
}
Override the default command to use any WAFtester CLI feature:
# Full automated scan (discover + learn + run + report)
docker run --rm qandil/waftester auto -u https://example.com
# Smart scan with WAF detection
docker run --rm qandil/waftester scan -u https://example.com --smart
# WAF detection and fingerprinting
docker run --rm qandil/waftester probe -u https://example.com
# Enterprise WAF assessment
docker run --rm qandil/waftester assess -u https://example.com
docker composeExample compose.yaml for running the MCP server:
services:
waftester:
image: qandil/waftester:latest
ports:
- "8080:8080"
restart: unless-stopped
read_only: true
tmpfs:
- /tmp:noexec,nosuid,size=64m
security_opt:
- no-new-privileges:true
Run docker compose up -d and connect your AI client to http://localhost:8080/mcp.
| Variable | Default | Description |
|---|---|---|
WAF_TESTER_HTTP_ADDR | :8080 | HTTP listen address for MCP server |
WAF_TESTER_PAYLOAD_DIR | /app/payloads | Path to payload JSON files |
WAF_TESTER_PRESET_DIR | /app/presets | Path to service preset JSON files |
WAF_TESTER_TEMPLATE_DIR | /app/templates/nuclei | Path to Nuclei YAML templates |
Examples:
# Change HTTP listen port
docker run -d -p 9090:9090 \
-e WAF_TESTER_HTTP_ADDR=:9090 \
qandil/waftester
# Mount custom service presets
docker run -d -p 8080:8080 \
-v /path/to/presets:/app/presets:ro \
qandil/waftester
# Mount custom payloads and presets
docker run -d -p 8080:8080 \
-v /path/to/payloads:/app/payloads:ro \
-v /path/to/presets:/app/presets:ro \
qandil/waftester
--discover--tamper-dir--event-crawl| Property | Value |
|---|---|
| Base image | gcr.io/distroless/static-debian12:nonroot |
| User | nonroot (UID 65534) |
| Size | ~11 MB |
| Exposed port | 8080 |
| Entrypoint | /app/waf-tester |
| Default command | mcp --http :8080 |
The image is read-only safe — no shell, no package manager, minimal attack surface.
| Architecture | Available |
|---|---|
linux/amd64 | Yes |
linux/arm64 | Yes |
Multi-platform manifest — Docker pulls the correct image for your architecture.
Business Source License 1.1 (core). Community payloads under MIT.
Content type
Image
Digest
sha256:679ace620…
Size
12.5 MB
Last updated
4 months ago
docker pull qandil/waftester