This is a research application for the automatic and periodic security evaluation of web application firewalls (WAFs).

WAFuzz can test the capabilities of WAFs to protect web applications

1. one-time to enable users to make qualified comparisons between different WAFs
2. periodically to make sure that WAFs continuously protect their web applications, also after system changes and updates.

It tests single or combined WAF configurations, perform predefined or own attacks against a vulnerable web server and analyzes if the WAF(s) prevented the attacks. It also generates reports with the relevant data, including raw requests and performance information. It supports also long-time random evaluations which permute evasive attack patterns to detect subtile attack holes. Additionally, it supports different combination modes to research the security of combined (different) WAFs.

This project is currently under active development by the Fraunhofer Institute for Secure Information Technology and not publicly available yet. If you are interested or have further questions, please contact WAFuzz.