The main command. Sends test cases to a WAF and reports results.
wafworth run --target http://localhost:8080 --name modsecurity| Option | Short | Default | Description |
|---|---|---|---|
--target |
-t |
(required) | Target WAF URL |
--name |
-n |
target URL | Name used in reports |
--block-status |
403 |
HTTP status code indicating a block | |
--testcases |
-d |
testcases |
Test case directories (repeatable) |
--tags |
all | Comma-separated tags to include | |
--exclude-tags |
none | Comma-separated tags to exclude | |
--encodings |
plain |
Comma-separated encodings to apply | |
--concurrency |
-c |
10 |
Max concurrent requests |
--timeout |
10.0 |
Per-request timeout in seconds | |
--output |
-o |
results |
Output directory for reports |
--format |
all |
Output format: all, console, json, markdown |
|
--fail-under |
none | Exit 1 if detection rate below threshold | |
--fail-fp-over |
none | Exit 1 if false-positive rate above threshold |
Run with multiple encodings and higher concurrency:
wafworth run -t http://localhost:8080 --encodings plain,url,hex -c 20Filter to only SQL injection tests:
wafworth run -t http://localhost:8080 --tags sqliExclude high-paranoia tests:
wafworth run -t http://localhost:8080 --exclude-tags paranoia-3,paranoia-4Use a custom block status code:
wafworth run -t http://localhost:8080 --block-status 406List available test cases with filtering.
wafworth list
wafworth list --tags sqli
wafworth list --severity critical
wafworth list --categories "SQL Injection,XSS"Shows a summary table by category and top tags.
Validate YAML test case files for correct structure.
wafworth validate testcases/Exits with code 1 if any files have errors.
Show how a payload looks under every supported encoding:
wafworth encode "1' OR '1'='1"Prints a table with all 9 encoding variants. Useful for understanding what the encoding expansion does before running tests.