Why I BuiltWAF‑Sentinel
When I started my journey as a penetration tester, I quickly realized that most WAF detection tools either focused on a single vendor or required a heavy Kali‑centric stack. This fragmentation made it hard to get a holistic view of a target’s defenses during an engagement. I wanted a lightweight, portable script that could run on any Linux box, identify every WAF in front of a web application, and give me actionable confidence scores without forcing me to install a dozen dependencies. WAF‑Sentinel was born out of that need: a pure‑Python, multi‑technique fingerprinting engine that works out‑of‑the‑box on any Python 3.8+ system.
Technical Architecture
The core of WAF‑Sentinel is a modular detection pipeline that runs eight parallel techniques against a target URL. Each technique is implemented as a small, independently testable function that returns a set of signals (header names, cookie patterns, body snippets, timing anomalies, etc.). The engine aggregates these signals using a weighted confidence model, where each method contributes a base score and cross‑method bonuses increase the final rating. To keep the footprint tiny, I avoided external C libraries and relied solely on the standard library plus requests for HTTP handling and urllib3 for connection pooling. The design also separates I/O from logic, allowing the JSON report generator to consume the raw detection objects without tight coupling.
- Passive recon: extracts headers, cookies, and TLS certificate details without sending any payloads.
- Aggressive recon: sends crafted HTTP requests (e.g., known WAF‑trigger strings) to provoke specific responses.
- Proxy integration: the
--proxyflag routes all traffic through Burp Suite, SOCKS5, or Tor, preserving stealth. - Stealth mode: randomizes User‑Agent strings and adds jittered delays between requests to avoid rate‑based detection.
Challenges & Solutions
Implementing eight detection methods in a single script introduced several engineering hurdles. First, coordinating concurrent requests without overwhelming the target required a thread pool executor with a configurable max‑workers setting; I chose Python’s concurrent.futures.ThreadPoolExecutor for its simplicity and fine‑grained control. Second, parsing HTTP responses reliably across diverse WAF behaviors was tricky; I built a flexible pattern‑matching layer that supports regular expressions, substring searches, and status‑code heuristics, all encapsulated in a Detector base class. Third, generating a trustworthy confidence score needed a transparent methodology; I documented the weighting scheme in the README and allowed users to tweak individual method weights via command‑line options. Finally, ensuring the tool stayed “zero‑dependency on Kali” meant avoiding any system‑level packages; all required libraries are installable via pip, which satisfied the requirement while keeping the Docker‑friendly nature of the project.
- Concurrency management – ThreadPoolExecutor with bounded workers.
- Robust response parsing – Plug‑in detector classes with regex, substring, and status‑code rules.
- Transparent scoring – Weighted sum with per‑method bonuses and optional manual weight overrides.
- Pure‑Python dependencies – Only
requests,urllib3, and the stdlib.
Getting Started
WAF‑Sentinel is ready to run on any machine that has Python 3.8 or newer. The installation steps are straightforward, and the tool works equally well on a standard Ubuntu VM or a full Kali installation.
# Clone the repository
git clone https://github.com/AswinMathew2004/WAF-Sentinel.git
cd waf-sentinel
# Install Python dependencies
pip3 install -r requirements.txt
# Make the script executable
chmod +x waf-sentinel.py
For a quick passive scan of example.com:
python3 waf-sentinel.py -t example.comTo launch an aggressive scan with payload testing and stealth mode, outputting a JSON report:
python3 waf-sentinel.py -t https://target.com --aggressive --stealth --output report.jsonIf you need to route traffic through a proxy (e.g., Burp Suite listening on 127.0.0.1:8080):
python3 waf-sentinel.py -t target.com -a -v --proxy http://127.0.0.1:8080The generated JSON file contains an array of WAF objects, each with a name, confidence (0‑100), and a list of signals that led to the detection, making it trivial