qandil/waftester

By qandil

Updated 4 months ago

WAF security testing with 2800+ payloads — CLI + MCP server in one image

Image
Security
Integration & delivery
0

8.7K

qandil/waftester repository overview

WAFtester

Website GitHub release License

What is WAFtester?

WAFtester is a WAF security testing platform with 2800+ attack payloads, 198 WAF vendor signatures, and a built-in MCP server for AI agent integration (Claude, VS Code Copilot, Cursor).

One image, two modes. Starts as an MCP server by default. Override the command to use it as a CLI.

Quick Start — MCP Server (default)

docker run -d -p 8080:8080 qandil/waftester

The MCP server starts on port 8080 with streamable HTTP transport. Connect any MCP-compatible client to http://localhost:8080/mcp.

Claude Desktop

Add to claude_desktop_config.json (macOS: ~/Library/Application Support/Claude/, Windows: %APPDATA%\Claude\):

{
  "mcpServers": {
    "waf-tester": {
      "url": "http://localhost:8080/mcp"
    }
  }
}
VS Code / Cursor

Add to .vscode/mcp.json in your workspace:

{
  "servers": {
    "waf-tester": {
      "url": "http://localhost:8080/mcp"
    }
  }
}

Quick Start — CLI Mode

Override the default command to use any WAFtester CLI feature:

# Full automated scan (discover + learn + run + report)
docker run --rm qandil/waftester auto -u https://example.com

# Smart scan with WAF detection
docker run --rm qandil/waftester scan -u https://example.com --smart

# WAF detection and fingerprinting
docker run --rm qandil/waftester probe -u https://example.com

# Enterprise WAF assessment
docker run --rm qandil/waftester assess -u https://example.com

... via docker compose

Example compose.yaml for running the MCP server:

services:
  waftester:
    image: qandil/waftester:latest
    ports:
      - "8080:8080"
    restart: unless-stopped
    read_only: true
    tmpfs:
      - /tmp:noexec,nosuid,size=64m
    security_opt:
      - no-new-privileges:true

Run docker compose up -d and connect your AI client to http://localhost:8080/mcp.

Environment Variables

VariableDefaultDescription
WAF_TESTER_HTTP_ADDR:8080HTTP listen address for MCP server
WAF_TESTER_PAYLOAD_DIR/app/payloadsPath to payload JSON files
WAF_TESTER_PRESET_DIR/app/presetsPath to service preset JSON files
WAF_TESTER_TEMPLATE_DIR/app/templates/nucleiPath to Nuclei YAML templates

Examples:

# Change HTTP listen port
docker run -d -p 9090:9090 \
  -e WAF_TESTER_HTTP_ADDR=:9090 \
  qandil/waftester

# Mount custom service presets
docker run -d -p 8080:8080 \
  -v /path/to/presets:/app/presets:ro \
  qandil/waftester

# Mount custom payloads and presets
docker run -d -p 8080:8080 \
  -v /path/to/payloads:/app/payloads:ro \
  -v /path/to/presets:/app/presets:ro \
  qandil/waftester

Features

  • MCP server built in — AI agents test WAFs via natural language
  • 2800+ payloads across 50+ attack categories (SQLi, XSS, SSRF, SSTI, LFI, RCE, and more)
  • 198 WAF signatures for automatic detection and fingerprinting
  • 96 evasion techniques with encoding chains, case mutation, and bypass strategies
  • Automated bypass discovery — test tamper combinations to find WAF bypasses with --discover
  • Custom tamper authoring — write Tengo-based tamper scripts and load via --tamper-dir
  • SPA event crawling — DOM event discovery for JavaScript-heavy targets with --event-crawl
  • Multi-protocol templates — Nuclei-compatible templates support HTTP, DNS, TCP, and UDP
  • Smart mode — auto-detects WAF vendor and optimizes payloads, rate limits, and encoders
  • API spec scanning — OpenAPI, Swagger, Postman, HAR, AsyncAPI, gRPC, and GraphQL
  • Output formats: JSON, JSONL, SARIF, HTML, PDF, Markdown, JUnit, CSV, XML, CycloneDX, SonarQube, GitLab SAST, HAR

Image Details

PropertyValue
Base imagegcr.io/distroless/static-debian12:nonroot
Usernonroot (UID 65534)
Size~11 MB
Exposed port8080
Entrypoint/app/waf-tester
Default commandmcp --http :8080

The image is read-only safe — no shell, no package manager, minimal attack surface.

Supported Architectures

ArchitectureAvailable
linux/amd64Yes
linux/arm64Yes

Multi-platform manifest — Docker pulls the correct image for your architecture.

Documentation

License

Business Source License 1.1 (core). Community payloads under MIT.

Tag summary

Content type

Image

Digest

sha256:679ace620

Size

12.5 MB

Last updated

4 months ago

docker pull qandil/waftester