Legal notice — Only test websites you own or have explicit authorization to scan. Unauthorized use may violate applicable laws.

GitHub

WAF-CHECKER.COM

Configuration

Target URL

Tools

HTTP Methods

GET POST PUT DEL

Attack Categories

WAF Security Tester

Test your Web Application Firewall against common attack payloads

Quick Start

1 Enter your target URL in the Target URL field (e.g., https://example.com)
2 Select HTTP Methods to test (GET, POST, PUT, DELETE)
3 Choose Attack Categories (SQL Injection, XSS, etc.)
4 Click Start Check to begin testing

Batch Test

Test multiple URLs at once (up to 100)

HTTP Tests

Test WAF bypass via headers & methods

Full Recon

CMS, technologies, DNS, WHOIS, SSL, subdomains, email security & more

Security Headers

Audit CSP, HSTS, X-Frame-Options & more

Speed Test

Page load performance, timing & optimization

SEO Audit

Meta tags, sitemap, pages, structured data & score

Customize your payloads

Add, edit or remove attack payloads. Click in the header to customize.

Payload Configuration

Customize attack payloads used for WAF testing

What are payloads?

Payloads are test strings sent to your application to check if your WAF blocks malicious requests. Each category (SQL Injection, XSS, etc.) contains specific attack patterns that should be blocked by a properly configured WAF.

How to customize

1. Select a category from the left sidebar
2. Edit existing payloads directly or click "+ Add Payload" to add new ones
3. Click the trash icon to remove a payload
4. Click "Save Changes" to apply your modifications

Category badges

42 Default (unmodified)

MOD Modified

NEW Custom category

DEL Deleted

WAF-Checker API

v1.0 public 1 req/min

WAF Security Tester

Quick Start

Security Analytics

Payload Configuration

Categories

Payload Configuration

What are payloads?

How to customize

Category badges

Batch Testing

Batch Results Summary

Information

Confirm

HTTP Status Codes Reference