gotestwaf
GoTestWAF is an open-source Go tool that simulates API and OWASP attacks (SQL injection, XSS, etc.) to evaluate Web Application Firewalls, API gateways, and security proxies. It generates malicious payloads across REST, GraphQL, gRPC, SOAP, and other protocols, then reports which attacks were blocked, bypassed, or unresolved.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | wallarm/gotestwaf |
| Owner | wallarm |
| Primary language | Go |
| License | MIT — OSI-approved |
| Stars | 1.8k |
| Forks | 257 |
| Open issues | 18 |
| Latest release | v0.5.8 (2025-07-31) |
| Last updated | 2025-07-31 |
| Source | https://github.com/wallarm/gotestwaf |
What gotestwaf is
GoTestWAF sends crafted HTTP requests with encoded attack payloads placed in various request locations (headers, URL params, body) to a target security solution and logs detection results. It supports YAML-based test case definitions with configurable payloads, encoders (Base64, URL, JSUnicode, XML Entity), and placement options (URLParam, Header, JSONBody, RawRequest, etc.), generating combinatorial request sets for comprehensive WAF evaluation.
Get the gotestwaf source
Clone the repository and explore it locally.
git clone https://github.com/wallarm/gotestwaf.gitcd gotestwaf# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires target security solution URL and network connectivity; sender IP must be whitelisted to avoid false blocks during testing.
- Chrome browser required for native PDF report generation; Docker deployment avoids this dependency and simplifies containerized WAF environments.
- Test cases are combinatorial (payloads × encoders × placeholders); large payloads and multiple encoders can generate hundreds or thousands of requests, stressing the target.
- YAML test case format must follow precise syntax; binary payload encoding required. Custom test cases demand careful validation to avoid malformed requests.
- Results depend on WAF rule configuration; misconfigured or default rule sets may produce unreliable metrics; WAF fingerprinting may aid interpretation but is not guaranteed.
When to avoid it — and what to weigh
- Requires Real-Time Threat Intelligence Integration — GoTestWAF uses static, predefined payloads; it does not update with emerging zero-day exploits or automatically correlate detections with live threat feeds.
- Need for In-Depth Application Context Analysis — The tool generates generic attacks without business logic understanding; it cannot model application-specific workflows or detect context-aware bypasses (e.g., authorization flaws).
- Production Monitoring and Continuous Defense — GoTestWAF is a testing harness, not a runtime WAF; it does not protect live applications or provide real-time blocking and remediation capabilities.
- Need for Vulnerability Scanning on Application Code — GoTestWAF tests WAF detection only; it does not perform SAST, dependency analysis, or application-level code review.
License & commercial use
MIT License: permissive open-source license allowing use, modification, and distribution for any purpose (commercial or otherwise) provided the license and copyright notice are retained.
MIT License explicitly permits commercial use without restrictions or royalties. Organizations may deploy GoTestWAF in commercial WAF testing, security consulting, and product evaluation workflows. No vendor lock-in, proprietary extensions, or commercial licensing restrictions apply.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
GoTestWAF generates and sends known attack payloads (SQL injection, XSS, RCE, etc.) to evaluate detection. Operator must ensure target is isolated or owned; firing payloads at uncontrolled systems is illegal and unethical. No built-in obfuscation, timing controls, or evasion logging to audit malicious requests. Payloads are not exploits (do not execute code) but may trigger defensive behaviors. Test environment should not route to production systems.
Alternatives to consider
OWASP ZAP
Standalone web app security scanner with passive and active scanning; broader scope than WAF testing but lower specificity for comparative WAF evaluation and API-centric payloads.
Burp Suite Community/Pro
Comprehensive web proxy with payload generation, repeater, and extensions; more general-purpose penetration testing tool with higher cost and greater feature density than GoTestWAF's focused WAF testing.
Cloudflare WAF Dashboard / AWS WAF Console
Native vendor testing interfaces for specific WAF products; easier integration with their respective ecosystems but limited to single vendor; less portable than open-source cross-platform testing.
Build on gotestwaf with DEV.co software developers
Deploy GoTestWAF in Docker to benchmark your Web Application Firewall, API gateway, or security proxy against OWASP and custom attack payloads. Identify detection gaps and rule improvements in minutes.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
gotestwaf FAQ
Can GoTestWAF test my production WAF without legal or operational risk?
What if the WAF is fingerprinted as 'not identified'?
How do I create custom test cases for my organization's specific APIs?
Does GoTestWAF replace penetration testing or formal security assessments?
Work with a software development agency
Adopting gotestwaf is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Evaluate Your WAF Coverage Today
Deploy GoTestWAF in Docker to benchmark your Web Application Firewall, API gateway, or security proxy against OWASP and custom attack payloads. Identify detection gaps and rule improvements in minutes.