WAFtester MCP Server

Enterprise-grade WAF scoring with letter grades, F1/MCC metrics, and false positive measurement. The formal assessment tool. USE THIS TOOL WHEN: • The user asks for a "WAF assessment", "WAF grade", or "WAF score" • You need quantitative metrics: F1 score, MCC, false positive rate, detection rate • Producing a formal report or compliance artifact • Comparing WAF vendors or configurations side-by-side • The user wants a letter grade (A through F) for their WAF DO NOT USE THIS TOOL WHEN: • Quick check on a single category — use 'scan' instead (much faster) • Looking for bypass variants via encoding — use 'bypass' instead • Just need to identify the WAF vendor — use 'detect_waf' instead 'assess' vs 'scan': assess runs a full rubric across all categories, measures false positives using a benign corpus, computes F1/MCC/FPR, and assigns a letter grade. scan just fires payloads and reports pass/fail. Use assess for formal evaluations, scan for targeted checks. EXAMPLE INPUTS: • Standard assessment: {"target": "https://example.com"} • Specific categories: {"target": "https://example.com", "categories": ["sqli", "xss", "cmdi"]} • Skip false-positive testing (faster): {"target": "https://example.com", "enable_fp_testing": false} • Conservative (production): {"target": "https://prod.com", "rate_limit": 10, "concurrency": 3} GRADING RUBRIC: A+ (>97%) → A (>93%) → B (>85%) → C (>70%) → D (>50%) → F (<50%) METRICS: Detection Rate, F1 Score (precision×recall balance), MCC (Matthews Correlation), FPR (false positive rate) Returns: letter grade, category scores, F1/MCC/FPR metrics, bypass list, per-category breakdown, improvement recommendations. ASYNC TOOL: This tool returns a task_id immediately and runs in the background (30-300s). Poll with get_task_status to retrieve results.

Hunt for WAF bypasses by testing payload mutations against a live target. The mutation matrix engine. USE THIS TOOL WHEN: • A 'scan' found blocks and now you want encoding/mutation variants that evade the WAF • The user says "find bypasses", "evade the WAF", or "can we get past the rules?" • Red team engagement — you need to prove exploitability, not just detect coverage • Testing a specific rule: "bypass the SQLi detection" DO NOT USE THIS TOOL WHEN: • You haven't scanned yet — use 'scan' first to establish a baseline • You just want to SEE encoded variants without testing — use 'mutate' instead • You want a WAF grade — use 'assess' instead 'bypass' vs 'scan': scan fires known payloads as-is. bypass takes payloads, generates mutations (encoder x location x evasion), and tests each one to find what the WAF misses. bypass is heavier, slower, and more thorough. 'bypass' vs 'mutate': mutate shows you the encodings offline. bypass encodes AND fires them at the target to find actual bypasses. Mutation Matrix: For each payload, bypass tries multiple encoders (url, double_url, html_hex, unicode, hex) x injection locations (query_param, post_form, post_json, header, cookie, path) x evasion techniques (case_swap, sql_comment, null_byte, whitespace, concat). This exponential combination is what finds bypasses. EXAMPLE INPUTS: • Hunt SQLi bypasses: {"target": "https://example.com/search?q=test", "payloads": ["' OR 1=1--", "1 UNION SELECT null--"]} • XSS bypass: {"target": "https://example.com", "payloads": ["<script>alert(1)</script>", "<img src=x onerror=alert(1)>"]} • Smart mode (auto-detect WAF and optimize matrix): {"target": "https://example.com", "payloads": ["' OR 1=1--"], "smart": true} • Smart stealth: {"target": "https://example.com", "payloads": ["' OR 1=1--"], "smart": true, "smart_mode": "stealth"} • Self-signed cert: {"target": "https://internal.app", "payloads": ["{{7*7}}"], "skip_verify": true} Returns: successful bypasses with exact payload + encoding + location, total mutations tested, bypass rate, reproduction details. ASYNC TOOL: This tool returns a task_id immediately and runs in the background (30-300s). Poll with get_task_status to retrieve results.

Cancel a running async task. Use this to stop a long-running scan, assess, bypass, or discover operation that is no longer needed. USE THIS TOOL WHEN: • The user wants to stop a running task • A task is taking too long and you want to abort it • The user has changed their mind about what to test Only running/pending tasks can be cancelled. Completed or failed tasks cannot be cancelled. EXAMPLE: {"task_id": "task_a1b2c3d4e5f6g7h8"}

Compare current scan findings against a saved baseline to detect regressions, fixes, and new findings. USE when: - You want to diff two scan results to see what changed - You need to detect regressions after making changes - You want to verify fixes Result format: JSON with fixed, regressed, new, unchanged arrays and counts.

Extract and describe all authentication schemes declared in an API specification. USE when: - You need to understand what auth the API expects - You want to configure auth tokens before scanning - You need OAuth flow details (token URLs, scopes) Result format: JSON with schemes array, each containing name, type, details, and per-endpoint auth requirements.

Attack surface discovery and intelligent test plan generation workflow.

Systematic evasion technique research workflow. Tests encoding and mutation combinations against a specific WAF.

Enterprise-grade WAF assessment with metrics, grading, and OWASP compliance mapping.

Comprehensive 5-phase WAF security audit workflow. Guides through detection, discovery, scanning, assessment, and reporting.

Spec-first API security audit: validate spec, generate intelligent plan, execute targeted attacks, and report findings.

Default configuration values, bounds, and recommendations for all tools.

Catalog of WAF evasion encodings and techniques with effectiveness ratings.

Comprehensive guide to WAF security testing methodology, best practices, and interpretation.

Description of the 8-layer intelligence engine that auto-selects attacks per endpoint.

OWASP Top 10 2021 category mappings for all attack types, with CWE references.