DEV.co
Open-Source Security · wallarm

gotestwaf

GoTestWAF is an open-source Go tool that simulates API and OWASP attacks (SQL injection, XSS, etc.) to evaluate Web Application Firewalls, API gateways, and security proxies. It generates malicious payloads across REST, GraphQL, gRPC, SOAP, and other protocols, then reports which attacks were blocked, bypassed, or unresolved.

Source: GitHub — github.com/wallarm/gotestwaf
1.8k
GitHub stars
257
Forks
Go
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorywallarm/gotestwaf
Ownerwallarm
Primary languageGo
LicenseMIT — OSI-approved
Stars1.8k
Forks257
Open issues18
Latest releasev0.5.8 (2025-07-31)
Last updated2025-07-31
Sourcehttps://github.com/wallarm/gotestwaf

What gotestwaf is

GoTestWAF sends crafted HTTP requests with encoded attack payloads placed in various request locations (headers, URL params, body) to a target security solution and logs detection results. It supports YAML-based test case definitions with configurable payloads, encoders (Base64, URL, JSUnicode, XML Entity), and placement options (URLParam, Header, JSONBody, RawRequest, etc.), generating combinatorial request sets for comprehensive WAF evaluation.

Quickstart

Get the gotestwaf source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/wallarm/gotestwaf.gitcd gotestwaf# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

WAF and API Gateway Security Validation

Benchmark detection capabilities of ModSecurity, AWS WAF, Azure WAF, Cloudflare, and similar solutions against common attack patterns to identify gaps in rule coverage.

Security Tool Comparative Testing

Evaluate multiple API security proxies or IPS products side-by-side using consistent payloads and metrics to determine which best detects OWASP Top-10 and API-specific threats.

OWASP CRS Regression & Tuning

Test OWASP Core Rule Set deployments for false positives and detection gaps; refine rules and encoders based on bypass results and configure defensive strategies accordingly.

Implementation considerations

  • Requires target security solution URL and network connectivity; sender IP must be whitelisted to avoid false blocks during testing.
  • Chrome browser required for native PDF report generation; Docker deployment avoids this dependency and simplifies containerized WAF environments.
  • Test cases are combinatorial (payloads × encoders × placeholders); large payloads and multiple encoders can generate hundreds or thousands of requests, stressing the target.
  • YAML test case format must follow precise syntax; binary payload encoding required. Custom test cases demand careful validation to avoid malformed requests.
  • Results depend on WAF rule configuration; misconfigured or default rule sets may produce unreliable metrics; WAF fingerprinting may aid interpretation but is not guaranteed.

When to avoid it — and what to weigh

  • Requires Real-Time Threat Intelligence Integration — GoTestWAF uses static, predefined payloads; it does not update with emerging zero-day exploits or automatically correlate detections with live threat feeds.
  • Need for In-Depth Application Context Analysis — The tool generates generic attacks without business logic understanding; it cannot model application-specific workflows or detect context-aware bypasses (e.g., authorization flaws).
  • Production Monitoring and Continuous Defense — GoTestWAF is a testing harness, not a runtime WAF; it does not protect live applications or provide real-time blocking and remediation capabilities.
  • Need for Vulnerability Scanning on Application Code — GoTestWAF tests WAF detection only; it does not perform SAST, dependency analysis, or application-level code review.

License & commercial use

MIT License: permissive open-source license allowing use, modification, and distribution for any purpose (commercial or otherwise) provided the license and copyright notice are retained.

MIT License explicitly permits commercial use without restrictions or royalties. Organizations may deploy GoTestWAF in commercial WAF testing, security consulting, and product evaluation workflows. No vendor lock-in, proprietary extensions, or commercial licensing restrictions apply.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

GoTestWAF generates and sends known attack payloads (SQL injection, XSS, RCE, etc.) to evaluate detection. Operator must ensure target is isolated or owned; firing payloads at uncontrolled systems is illegal and unethical. No built-in obfuscation, timing controls, or evasion logging to audit malicious requests. Payloads are not exploits (do not execute code) but may trigger defensive behaviors. Test environment should not route to production systems.

Alternatives to consider

OWASP ZAP

Standalone web app security scanner with passive and active scanning; broader scope than WAF testing but lower specificity for comparative WAF evaluation and API-centric payloads.

Burp Suite Community/Pro

Comprehensive web proxy with payload generation, repeater, and extensions; more general-purpose penetration testing tool with higher cost and greater feature density than GoTestWAF's focused WAF testing.

Cloudflare WAF Dashboard / AWS WAF Console

Native vendor testing interfaces for specific WAF products; easier integration with their respective ecosystems but limited to single vendor; less portable than open-source cross-platform testing.

Software development agency

Build on gotestwaf with DEV.co software developers

Deploy GoTestWAF in Docker to benchmark your Web Application Firewall, API gateway, or security proxy against OWASP and custom attack payloads. Identify detection gaps and rule improvements in minutes.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

gotestwaf FAQ

Can GoTestWAF test my production WAF without legal or operational risk?
Only if your security team owns and explicitly approves the target system. Sending unsolicited attack payloads to systems you do not control is illegal. Always test in isolated staging environments with your WAF configured in monitoring/logging mode first.
What if the WAF is fingerprinted as 'not identified'?
The tool attempts WAF detection via response codes and headers but may fail on unknown or heavily customized solutions. Results are still valid; focus on true-positive (blocked), false-negative (bypassed), and unresolved counts to evaluate detection efficacy regardless of WAF brand.
How do I create custom test cases for my organization's specific APIs?
Edit YAML files in the testcases folder following the format shown in the README (payload, encoder, placeholder, type). Test case syntax is strict; ensure payloads are YAML-encoded and placeholders match supported types (URLParam, JSONBody, Header, RawRequest, etc.). Validate with dry-runs before full scanning.
Does GoTestWAF replace penetration testing or formal security assessments?
No. GoTestWAF is a synthetic test harness for WAF rule detection benchmarking. It does not discover application logic flaws, authorization bypasses, or business-context attacks. Use it to supplement, not replace, manual penetration testing and code review.

Work with a software development agency

Adopting gotestwaf is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Evaluate Your WAF Coverage Today

Deploy GoTestWAF in Docker to benchmark your Web Application Firewall, API gateway, or security proxy against OWASP and custom attack payloads. Identify detection gaps and rule improvements in minutes.