{"id":43047664,"url":"https://github.com/waftester/waftester","last_synced_at":"2026-03-07T12:06:41.560Z","repository":{"id":336997664,"uuid":"1151528468","full_name":"waftester/waftester","owner":"waftester","description":"Professional WAF security testing toolkit","archived":false,"fork":false,"pushed_at":"2026-02-22T14:34:12.000Z","size":6579,"stargazers_count":2,"open_issues_count":2,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-22T19:43:57.106Z","etag":null,"topics":["cli","golang","owasp","penetration-testing","security","security-testing","waf","web-application-firewall"],"latest_commit_sha":null,"homepage":"https://waftester.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/waftester.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-06T15:25:00.000Z","updated_at":"2026-02-22T14:34:16.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/waftester/waftester","commit_stats":null,"previous_names":["waftester/waftester"],"tags_count":69,"template":false,"template_full_name":null,"purl":"pkg:github/waftester/waftester","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waftester%2Fwaftester","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waftester%2Fwaftester/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waftester%2Fwaftester/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waftester%2Fwaftester/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/waftester","download_url":"https://codeload.github.com/waftester/waftester/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/waftester%2Fwaftester/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29786978,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-24T10:45:18.109Z","status":"ssl_error","status_checked_at":"2026-02-24T10:45:09.911Z","response_time":75,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","golang","owasp","penetration-testing","security","security-testing","waf","web-application-firewall"],"created_at":"2026-01-31T10:04:19.646Z","updated_at":"2026-02-26T01:26:13.141Z","avatar_url":"https://github.com/waftester.png","language":"Go","readme":"# WAFtester\n\nThe most comprehensive Web Application Firewall testing platform for security professionals and enterprise teams. Detect, fingerprint, and assess WAF security posture with quantitative metrics.\n\n[![License](https://img.shields.io/badge/License-BSL%201.1-blue.svg)](LICENSE)\n[![Go](https://img.shields.io/badge/Go-1.24+-00ADD8.svg)](https://go.dev/)\n[![Release](https://img.shields.io/github/v/release/waftester/waftester)](https://github.com/waftester/waftester/releases)\n[![npm](https://img.shields.io/npm/v/@waftester/cli)](https://www.npmjs.com/package/@waftester/cli)\n\n---\n\n## Overview\n\nWAFtester provides enterprise-grade WAF security assessment through a single, unified platform. Unlike fragmented toolchains that require manual correlation between detection, bypass, and reporting phases, WAFtester delivers end-to-end automated testing with statistical validation.\n\n```bash\nwaf-tester auto -u https://target.com --smart\n```\n\nThis command executes a complete security assessment: endpoint discovery, WAF vendor identification, optimal bypass technique selection, 2,800+ payload testing, and quantitative report generation.\n\n---\n\n## The Problem WAFtester Solves\n\nModern security teams face three critical challenges when assessing WAF effectiveness:\n\n**Fragmented Tooling.** Traditional assessments require chaining multiple tools (wafw00f, sqlmap, nuclei, custom scripts), manual correlation of results, and significant expertise to interpret findings.\n\n**No Quantitative Metrics.** Most tools report binary pass/fail results. Security teams need statistical measures (False Positive Rate, F1 Score, MCC) to make informed decisions about WAF configuration and vendor selection.\n\n**WAF-Agnostic Testing.** Generic payloads waste time against well-configured WAFs. Effective testing requires WAF-specific bypass techniques selected based on the detected vendor and configuration.\n\nWAFtester addresses these challenges with an integrated platform that automates the entire assessment lifecycle.\n\n---\n\n## Core Capabilities\n\n### WAF Detection and Fingerprinting\n\nIdentify WAF vendors with high confidence using 197 vendor signatures.\n\n```\n$ waf-tester vendor -u https://protected.example.com\n\nWAF Detection Results\n--------------------------------------------------------------------------\n  Vendor         Cloudflare\n  Confidence     98%\n  Evidence       cf-ray header, __cfduid cookie, 1020 error page\n  \nRecommended tampers for Cloudflare:\n  charunicodeencode, space2morecomment, randomcase\n```\n\nDetection covers major commercial and open-source WAFs including Cloudflare, AWS WAF, Akamai, Imperva, Azure WAF, F5, Fortinet, ModSecurity, Barracuda, Sucuri, Radware, Citrix ADC, Palo Alto, Sophos, and Wallarm.\n\n### Automated Bypass Discovery\n\nDiscover WAF bypass techniques using 70+ tamper scripts with automatic selection based on detected vendor.\n\n```\n$ waf-tester bypass -u https://target.com --smart --tamper-auto\n\nBypass Discovery\n--------------------------------------------------------------------------\n  Payload Variants Tested     2,847\n  Blocked by WAF              2,728 (95.8%)\n  Bypassed WAF                119 (4.2%)\n  \nTop Bypass Chains:\n  1. charunicodeencode + space2morecomment    (42 bypasses)\n  2. modsecurityversioned + randomcase        (31 bypasses)  \n  3. between + equaltolike                    (19 bypasses)\n```\n\nThe mutation engine combines 49 mutator functions with base payloads to generate comprehensive coverage across encoding, evasion, and injection location variations.\n\n### Enterprise Assessment with Statistical Metrics\n\nGenerate quantitative WAF assessments with industry-standard statistical measures.\n\n```\n$ waf-tester assess -u https://target.com -fp -o assessment.json\n\nEnterprise WAF Assessment\n--------------------------------------------------------------------------\n  Metric                  Score\n  ---------------------------------\n  Detection Rate (TPR)    94.2%\n  False Positive Rate     0.3%\n  Precision               99.7%\n  Recall                  94.2%\n  F1 Score                0.969\n  MCC                     0.942\n```\n\nAssessment includes testing against benign traffic corpora (Leipzig corpus integration) to measure false positive rates, enabling data-driven WAF configuration decisions.\n\n### Multi-Protocol Support\n\nNative support for modern API protocols beyond HTTP.\n\n```bash\n# GraphQL introspection and injection testing\nwaf-tester scan -u https://api.example.com/graphql -types graphql\n\n# gRPC reflection and message fuzzing  \nwaf-tester scan -u grpc://service:50051 -types grpc\n\n# SOAP/WSDL enumeration and XXE testing\nwaf-tester scan -u https://api.example.com/service.wsdl -types soap\n\n# WebSocket message injection\nwaf-tester scan -u wss://api.example.com/socket -types websocket\n```\n\n---\n\n## Comparison with Existing Tools\n\n### Workflow Consolidation\n\n| Traditional Approach | WAFtester Approach |\n|---------------------|-------------------|\n| Run wafw00f for WAF detection | Integrated: 197 vendor signatures |\n| Manually select sqlmap tampers | Auto-selects from 70+ tampers based on detected WAF |\n| Write nuclei templates per vulnerability | 2,800+ payloads across 50+ categories included |\n| Parse outputs and correlate manually | Unified JSON/SARIF/HTML with metrics |\n| Separate tools for GraphQL, gRPC, WebSocket | Native multi-protocol support |\n\n### Feature Comparison\n\n| Capability | sqlmap | nuclei | Burp Suite | WAFtester |\n|------------|--------|--------|------------|-----------|\n| WAF-aware tamper selection | Manual | N/A | Manual | Automatic |\n| False positive measurement | No | No | Limited | Full (FPR, precision) |\n| Statistical metrics (MCC, F1) | No | No | No | Yes |\n| Multi-protocol (GraphQL, gRPC) | No | Limited | Yes | Native |\n| Mutation engine | 60 tampers | N/A | Intruder | 49 mutators x payloads |\n| CI/CD native (SARIF, streaming) | No | Yes | No | Yes |\n\n---\n\n## Installation\n\n### npm / npx (Recommended)\n\nZero-dependency install — downloads the correct platform binary automatically.\n\n```bash\n# Run directly (no install needed)\nnpx -y @waftester/cli scan -u https://target.com\n\n# Or install globally\nnpm install -g @waftester/cli\nwaf-tester version\n```\n\nWorks on macOS, Linux, and Windows (x64 and arm64). Requires Node.js \u003e= 16.\n\n### Go Install\n\nRequires Go 1.24 or later.\n\n```bash\ngo install github.com/waftester/waftester/cmd/cli@latest\n```\n\n### Docker\n\nMulti-architecture images (`linux/amd64`, `linux/arm64`) are published to GitHub Container Registry.\n\n```bash\n# Pull the latest image\ndocker pull ghcr.io/waftester/waftester:latest\n\n# Run the MCP server on port 8080\ndocker run -p 8080:8080 ghcr.io/waftester/waftester\n\n# Run a scan directly\ndocker run --rm ghcr.io/waftester/waftester scan -u https://example.com\n\n# Docker Compose (local build)\ndocker compose up --build\n```\n\nAvailable image tags:\n\n| Tag | Description |\n|-----|-------------|\n| `latest` | Latest stable release |\n| `1.2.3` | Exact version |\n| `1.2`, `1` | Minor/major aliases |\n| `edge` | Latest `main` branch build |\n| `sha-abc1234` | Specific commit |\n\nThe image runs as non-root on a read-only distroless base (~5 MB). See [docs/INSTALLATION.md](docs/INSTALLATION.md#docker) for Docker Compose, Kubernetes, and environment variable configuration.\n\n### Package Managers\n\n```bash\n# macOS\nbrew install waftester\n```\n\n### Binary Releases\n\nDownload pre-built binaries from the [releases page](https://github.com/waftester/waftester/releases).\n\nFor detailed installation instructions, see [docs/INSTALLATION.md](docs/INSTALLATION.md).\n\n---\n\n## Usage\n\n### Automated Assessment\n\nThe `auto` command provides complete automated assessment including discovery, analysis, testing, and reporting.\n\n```bash\n# Full automated assessment with WAF-aware optimization\nwaf-tester auto -u https://example.com --smart\n\n# With automatic tamper selection based on detected WAF\nwaf-tester auto -u https://example.com --smart --tamper-auto\n\n# Service-specific presets for CMS and framework detection\nwaf-tester auto -u https://example.com -service wordpress\n```\n\n### Targeted Scanning\n\nThe `scan` command provides focused vulnerability testing across 50+ attack categories.\n\n```bash\n# SQL injection and XSS testing\nwaf-tester scan -u https://target.com -types sqli,xss\n\n# All attack categories\nwaf-tester scan -u https://target.com -types all\n\n# With WAF-aware tamper selection\nwaf-tester scan -u https://target.com --smart --tamper-auto\n\n# With custom payload and template directories\nwaf-tester scan -u https://target.com --payloads ./custom-payloads --template-dir ./my-templates\n```\n\n### WAF Intelligence\n\nThe `tampers` command provides vendor-specific bypass recommendations.\n\n```bash\n# Show tampers ranked by effectiveness for specific WAF\nwaf-tester tampers --for-waf=cloudflare\n\nTampers Ranked by Effectiveness for Cloudflare\n--------------------------------------------------------------------------\n  Rank  Tamper                    Success Rate\n  1     charunicodeencode         85%\n  2     space2morecomment         82%\n  3     randomcase                75%\n  4     between                   68%\n  5     modsecurityversioned      55%\n```\n\n---\n\n## Output Formats and Integrations\n\nWAFtester supports multiple output formats for integration with security workflows and CI/CD pipelines.\n\n### Supported Formats\n\n| Format | Use Case | Flag |\n|--------|----------|------|\n| JSON | Automation, APIs, scripting | `-format json` |\n| JSONL | Streaming, real-time processing | `-stream -json` |\n| SARIF | GitHub/GitLab Security, VS Code | `-format sarif` |\n| HTML | Reports for stakeholders | `-format html` |\n| PDF | Executive reports | `-format pdf` |\n| JUnit | CI/CD test frameworks | `-format junit` |\n| CycloneDX | SBOM vulnerability exchange | `-format cyclonedx` |\n| XML | Legacy SIEM/vulnerability platforms | `--xml` |\n\n### Enterprise Integrations\n\n| Integration | Format | Flag |\n|------------|--------|------|\n| SonarQube | Generic Issue Import | `-format sonarqube` |\n| GitLab SAST | gl-sast-report.json | `-format gitlab-sast` |\n| DefectDojo | Findings import | `-format defectdojo` |\n| Elasticsearch | SIEM streaming | `--elasticsearch-url` |\n| GitHub Issues | Auto-create issues | `--github-issues-token` |\n| Azure DevOps | Work item creation | `--ado-org`, `--ado-project`, `--ado-pat` |\n\n### Real-time Alerting\n\n```bash\n# Slack notifications\nwaf-tester scan -u $TARGET --slack-webhook=$WEBHOOK_URL\n\n# Microsoft Teams notifications  \nwaf-tester scan -u $TARGET --teams-webhook=$WEBHOOK_URL\n\n# PagerDuty escalation\nwaf-tester scan -u $TARGET --pagerduty-key=$ROUTING_KEY\n\n# Jira ticket creation\nwaf-tester scan -u $TARGET --jira-url=$JIRA_URL --jira-project=SEC --jira-email=$EMAIL --jira-token=$TOKEN\n\n# GitHub Issues integration\nwaf-tester scan -u $TARGET --github-issues-token=$TOKEN --github-issues-owner=myorg --github-issues-repo=security-issues\n\n# Azure DevOps work item creation\nwaf-tester scan -u $TARGET --ado-org=myorg --ado-project=SecurityTests --ado-pat=$ADO_PAT\n\n# OpenTelemetry tracing\nwaf-tester scan -u $TARGET --otel-endpoint=$OTEL_ENDPOINT\n```\n\n---\n\n## CI/CD Integration\n\n### GitHub Actions (Recommended)\n\n```yaml\n- uses: waftester/waftester-action@v1\n  with:\n    target: https://app.example.com\n```\n\nResults appear in **Security → Code scanning**. See [WAFtester Action](https://github.com/marketplace/actions/waftester-waf-security-testing) for all options.\n\n### Alternative: CLI in GitHub Actions\n\n```yaml\n- name: WAF Security Assessment\n  run: |\n    waf-tester scan -u ${{ env.TARGET_URL }} \\\n      -format sarif -o results.sarif\n    \n- name: Upload SARIF\n  uses: github/codeql-action/upload-sarif@v3\n  with:\n    sarif_file: results.sarif\n```\n\n### Pipeline Quality Gates\n\n```bash\n# Fail pipeline on critical findings\nwaf-tester scan -u $TARGET -json | \\\n  jq -e '[.vulnerabilities[] | select(.severity==\"Critical\")] | length == 0'\n\n# Extract metrics for dashboards\nwaf-tester assess -u $TARGET -json | \\\n  jq '{tpr: .metrics.detection_rate, fpr: .metrics.false_positive_rate, f1: .metrics.f1_score}'\n```\n\nFor additional CI/CD examples (GitLab, Azure DevOps, Jenkins, CircleCI, Tekton), see [docs/EXAMPLES.md](docs/EXAMPLES.md#cicd-integration).\n\n---\n\n## MCP Server — AI Agent Integration\n\nWAFtester includes a built-in [Model Context Protocol](https://modelcontextprotocol.io/) (MCP) server that enables AI assistants (Claude, GPT, Copilot) and automation platforms (n8n, Langflow) to control WAFtester programmatically.\n\n### Why MCP?\n\nInstead of parsing CLI output or building custom integrations, AI agents interact with WAFtester through a structured protocol with typed tool schemas, progress notifications, and domain-knowledge resources. The server guides agents through optimal tool selection and workflow orchestration.\n\n### Transports\n\n| Transport | Use Case | Command |\n|-----------|----------|---------|\n| Stdio | IDE integrations (VS Code, Claude Desktop, Cursor) | `waf-tester mcp` |\n| HTTP | Remote/Docker deployments, n8n, web UIs | `waf-tester mcp --http :8080` |\n\nThe HTTP transport exposes:\n- `/mcp` — Streamable HTTP (2025-03-26 spec)\n- `/sse` — Legacy SSE for n8n and older MCP clients\n- `/health` — Readiness probe for container orchestrators\n\nAll endpoints include CORS headers for browser-based clients.\n\n### Quick Start\n\n```bash\n# Stdio mode (for Claude Desktop, VS Code, Cursor)\nwaf-tester mcp\n\n# HTTP mode (for n8n, Docker, remote access)\nwaf-tester mcp --http :8080\n\n# Docker\ndocker run -p 8080:8080 ghcr.io/waftester/waftester mcp --http :8080\n```\n\n### Claude Desktop Configuration\n\nAdd to `claude_desktop_config.json`:\n\n```json\n{\n  \"mcpServers\": {\n    \"waf-tester\": {\n      \"command\": \"npx\",\n      \"args\": [\"-y\", \"@waftester/cli\", \"mcp\"]\n    }\n  }\n}\n```\n\nAlternatively, if installed via Go or binary:\n\n```json\n{\n  \"mcpServers\": {\n    \"waf-tester\": {\n      \"command\": \"waf-tester\",\n      \"args\": [\"mcp\"]\n    }\n  }\n}\n```\n\n### n8n Integration\n\n1. Add an **MCP Client** node in n8n\n2. Set transport to **SSE Endpoint**\n3. Enter the URL: `http://your-server:8080/sse`\n4. Connect to an AI Agent node\n5. WAFtester tools appear automatically for the agent to use\n\n### Available Tools\n\n| Tool | What It Does |\n|------|--------------|\n| `list_payloads` | Browse attack payload catalog with filtering |\n| `detect_waf` | Fingerprint WAF vendor, confidence, bypass tips |\n| `discover` | Map attack surface (robots, sitemap, JS, Wayback) — **async** |\n| `learn` | Generate intelligent test plans from discovery |\n| `scan` | Execute WAF bypass tests with progress tracking — **async** |\n| `assess` | Enterprise assessment with F1, precision, MCC, FPR — **async** |\n| `mutate` | Apply encoding/evasion transformations |\n| `bypass` | Systematic bypass with mutation matrix — **async** |\n| `probe` | TLS, HTTP/2, technology fingerprinting |\n| `generate_cicd` | Generate CI/CD YAML for 6 platforms |\n| `get_task_status` | Poll async task progress and retrieve results |\n| `cancel_task` | Stop a running async task |\n| `list_tasks` | View all running/completed/failed tasks |\n\n\u003e **Async tools** return a `task_id` immediately. Poll with `get_task_status` to retrieve results. This prevents timeout errors with n8n and other MCP clients.\n\n### Domain Knowledge Resources\n\nAI agents can read these resources for context without making network requests:\n\n| Resource | Content |\n|----------|---------|\n| `waftester://guide` | WAF testing methodology guide |\n| `waftester://waf-signatures` | WAF vendor signatures and bypass tips |\n| `waftester://evasion-techniques` | Evasion encoding catalog |\n| `waftester://owasp-mappings` | OWASP Top 10 2021 mappings |\n| `waftester://payloads` | Full payload catalog |\n| `waftester://payloads/unified` | Unified view (JSON + Nuclei template payloads) |\n| `waftester://payloads/{category}` | Category-filtered payloads |\n| `waftester://templates` | Nuclei template library listing |\n| `waftester://version` | Server version, capabilities, and resource counts |\n| `waftester://config` | Default configuration values |\n\nFor complete MCP examples, see [docs/EXAMPLES.md](docs/EXAMPLES.md#mcp-server-integration).\n\n---\n\n## Command Reference\n\n| Command | Description | Example |\n|---------|-------------|---------|\n| `auto` | Complete automated assessment | `waf-tester auto -u https://target.com` |\n| `scan` | Vulnerability scanning (50+ categories) | `waf-tester scan -u https://target.com -types sqli,xss` |\n| `bypass` | WAF bypass discovery | `waf-tester bypass -u https://target.com --smart` |\n| `assess` | Enterprise metrics (F1, MCC, FPR) | `waf-tester assess -u https://target.com -fp` |\n| `tampers` | List/test/recommend tampers | `waf-tester tampers --for-waf=cloudflare` |\n| `vendor` | WAF fingerprinting (197 signatures) | `waf-tester vendor -u https://target.com` |\n| `probe` | Protocol detection | `waf-tester probe -l urls.txt` |\n| `fuzz` | Directory/content fuzzing | `waf-tester fuzz -u https://target.com/FUZZ` |\n| `smuggle` | HTTP request smuggling detection | `waf-tester smuggle -u https://target.com` |\n| `race` | Race condition testing | `waf-tester race -u https://target.com/checkout` |\n| `discover` | Endpoint crawling | `waf-tester discover -u https://target.com` |\n| `workflow` | YAML workflow execution | `waf-tester workflow -f recon.yaml` |\n| `template` | Nuclei-compatible template scanner | `waf-tester template -u https://target.com -t templates/` |\n| `grpc` | gRPC service testing | `waf-tester grpc -u localhost:50051 --list` |\n| `soap` | SOAP/WSDL service testing | `waf-tester soap --wsdl https://api.example.com?wsdl` |\n| `openapi` | OpenAPI specification fuzzing | `waf-tester openapi -spec openapi.yaml --fuzz` |\n| `cloud` | Cloud resource discovery | `waf-tester cloud -d example.com --providers aws,azure` |\n| `mcp` | MCP server for AI agents | `waf-tester mcp` or `waf-tester mcp --http :8080` |\n\n---\n\n## Key Options\n\n| Flag | Description | Default |\n|------|-------------|---------|\n| `-u` | Target URL | Required |\n| `-l` | File with targets (one per line) | - |\n| `-c` | Concurrent workers | 25 |\n| `-rl` | Rate limit (requests/second) | 150 |\n| `--smart` | WAF-aware adaptive mode | false |\n| `--tamper` | Tamper list (comma-separated) | - |\n| `--tamper-auto` | Auto-select for detected WAF | false |\n| `--tamper-profile` | Preset: stealth, standard, aggressive, bypass | - |\n| `-format` | Output format | json |\n| `-o` | Output file | - |\n| `-x` | Proxy (HTTP/HTTPS/SOCKS4/SOCKS5) | - |\n| `--sni` | Override TLS SNI for CDN bypass | - |\n| `--burp` | Burp Suite proxy shortcut | false |\n| `--zap` | OWASP ZAP proxy shortcut | false |\n| `--payloads` | Custom payload directory | `./payloads` |\n| `--template-dir` | Custom Nuclei template directory | `./templates/nuclei` |\n| `--stream` | Real-time streaming output | false |\n\n---\n\n## Platform Statistics\n\n| Metric | Value |\n|--------|-------|\n| CLI Commands | 33 |\n| WAF Signatures | 197 vendors |\n| Attack Payloads | 2,800+ |\n| Tamper Scripts | 70+ |\n| Mutator Functions | 49 |\n| Attack Categories | 50+ |\n| Protocols | HTTP, GraphQL, gRPC, SOAP, WebSocket, OpenAPI |\n| Output Formats | 16 |\n| CI/CD Platforms | 9 |\n| MCP Tools | 10 |\n| MCP Resources | 10 |\n| MCP Prompts | 6 |\n| npm Platforms | macOS, Linux, Windows (x64 + arm64) |\n| Docker Architectures | linux/amd64, linux/arm64 |\n\n---\n\n## Documentation\n\n| Resource | Description |\n|----------|-------------|\n| [Examples Guide](docs/EXAMPLES.md) | Comprehensive usage examples |\n| [Installation](docs/INSTALLATION.md) | Installation methods (Go, Docker, binary) |\n| [MCP Server](docs/EXAMPLES.md#mcp-server-integration) | AI agent integration guide |\n| [Docker](docs/INSTALLATION.md#docker) | Container deployment guide |\n| [Contributing](CONTRIBUTING.md) | Contribution guidelines |\n| [Changelog](CHANGELOG.md) | Version history |\n| [Security](SECURITY.md) | Security policy |\n\n---\n\n## License\n\n**Core:** [Business Source License 1.1](LICENSE) - Converts to Apache 2.0 on January 31, 2030\n\n**Community Payloads:** [MIT](LICENSE-COMMUNITY)\n","funding_links":[],"categories":["Awesome Tools"],"sub_categories":["Testing:"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwaftester%2Fwaftester","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwaftester%2Fwaftester","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwaftester%2Fwaftester/lists"}