@waftester/cli 2.9.38 → 2.9.40
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +22 -9
- package/package.json +7 -7
package/README.md
CHANGED
|
@@ -5,14 +5,14 @@
|
|
|
5
5
|
[](https://github.com/waftester/waftester/blob/main/LICENSE)
|
|
6
6
|
[](https://npmjs.com/package/@waftester/cli)
|
|
7
7
|
|
|
8
|
-
The most comprehensive WAF testing CLI & MCP server. Detect, fingerprint, and bypass Web Application Firewalls with **2,800+ payloads**, **
|
|
8
|
+
The most comprehensive WAF testing CLI & MCP server. Detect, fingerprint, and bypass Web Application Firewalls with **2,800+ payloads**, **96 tamper scripts**, and quantitative security metrics (FPR, F1, MCC).
|
|
9
9
|
|
|
10
10
|
## Why WAFtester?
|
|
11
11
|
|
|
12
12
|
| Traditional Approach | WAFtester |
|
|
13
13
|
|---------------------|-----------|
|
|
14
14
|
| Chain 5+ tools (wafw00f, sqlmap, nuclei, scripts) | Single `auto` command — end-to-end |
|
|
15
|
-
| Manually select tampers per WAF vendor | Auto-selects from
|
|
15
|
+
| Manually select tampers per WAF vendor | Auto-selects from 96 tampers based on detected WAF |
|
|
16
16
|
| Binary pass/fail results | Statistical metrics: FPR, Precision, F1 Score, MCC |
|
|
17
17
|
| HTTP only | Native GraphQL, gRPC, SOAP, WebSocket support |
|
|
18
18
|
| Manual result correlation | Unified JSON, SARIF, HTML, JUnit, CycloneDX output |
|
|
@@ -213,8 +213,15 @@ waf-tester scan --spec openapi.yaml -u https://api.example.com --dry-run
|
|
|
213
213
|
| JSONL | Streaming, real-time | `-stream -json` |
|
|
214
214
|
| SARIF | GitHub/GitLab Security, VS Code | `-format sarif` |
|
|
215
215
|
| HTML | Stakeholder reports | `-format html` |
|
|
216
|
-
|
|
|
217
|
-
|
|
|
216
|
+
| PDF | Executive reports with severity matrix | `-format pdf` |
|
|
217
|
+
| Markdown | Documentation, wikis | `-format md` |
|
|
218
|
+
| CSV | Spreadsheets, data analysis | `-format csv` |
|
|
219
|
+
| JUnit | CI/CD test frameworks | `-junit-export results.xml` |
|
|
220
|
+
| XML | Legacy integrations | `-xml-export results.xml` |
|
|
221
|
+
| CycloneDX | SBOM vulnerability exchange | `-cyclonedx-export results.json` |
|
|
222
|
+
| SonarQube | SonarQube import | `-sonarqube-export results.json` |
|
|
223
|
+
| GitLab SAST | GitLab security dashboard | `-gitlab-sast-export results.json` |
|
|
224
|
+
| Console | Terminal display (default) | `-format console` |
|
|
218
225
|
|
|
219
226
|
## CI/CD Integration
|
|
220
227
|
|
|
@@ -246,7 +253,7 @@ Use the official [WAFtester Action](https://github.com/marketplace/actions/wafte
|
|
|
246
253
|
|
|
247
254
|
Also integrates with SonarQube, GitLab SAST, DefectDojo, Elasticsearch, Slack, Teams, PagerDuty, Jira, Azure DevOps, and OpenTelemetry.
|
|
248
255
|
|
|
249
|
-
## All
|
|
256
|
+
## All 33 Commands
|
|
250
257
|
|
|
251
258
|
| Command | Description |
|
|
252
259
|
|---------|-------------|
|
|
@@ -262,7 +269,6 @@ Also integrates with SonarQube, GitLab SAST, DefectDojo, Elasticsearch, Slack, T
|
|
|
262
269
|
| `mutate` | Mutation matrix testing (49 mutator functions) |
|
|
263
270
|
| `headless` | Browser-based testing for JS-rendered targets |
|
|
264
271
|
| `template` | Run Nuclei-compatible YAML templates (HTTP, DNS, TCP, UDP) |
|
|
265
|
-
| `openapi` | Scan OpenAPI/Swagger spec endpoints |
|
|
266
272
|
| `grpc` | Test gRPC services via reflection |
|
|
267
273
|
| `soap` | Test SOAP/WSDL endpoints |
|
|
268
274
|
| `mcp` | Start MCP server for AI-powered testing |
|
|
@@ -272,11 +278,18 @@ Also integrates with SonarQube, GitLab SAST, DefectDojo, Elasticsearch, Slack, T
|
|
|
272
278
|
| `cloud` | Cloud resource discovery |
|
|
273
279
|
| `report` | Generate reports from saved results |
|
|
274
280
|
| `run` | Execute specific payload categories against target |
|
|
275
|
-
| `benchmark` | Performance benchmarking and rate limit detection |
|
|
276
|
-
| `compare` | Compare assessments across WAF configs or vendors |
|
|
277
281
|
| `race` | Race condition testing |
|
|
278
282
|
| `smuggle` | HTTP request smuggling tests |
|
|
279
|
-
|
|
|
283
|
+
| `learn` | Analyze target and generate test plans |
|
|
284
|
+
| `fp` | False positive testing with benign traffic corpus |
|
|
285
|
+
| `protocol` | Protocol detection and fingerprinting |
|
|
286
|
+
| `validate` | Payload and spec validation |
|
|
287
|
+
| `workflow` | YAML workflow orchestration |
|
|
288
|
+
| `plugin` | Plugin management |
|
|
289
|
+
| `compare` | Compare two scan result JSON files (severity deltas, risk scores, CI exit code) |
|
|
290
|
+
| `update` | Check for and install updates |
|
|
291
|
+
| `docs` | Built-in command reference |
|
|
292
|
+
| `validate-templates` | Validate Nuclei/custom scan templates |
|
|
280
293
|
|
|
281
294
|
## Platform Support
|
|
282
295
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@waftester/cli",
|
|
3
|
-
"version": "2.9.
|
|
3
|
+
"version": "2.9.40",
|
|
4
4
|
"description": "WAFtester — the most comprehensive WAF testing CLI & MCP server",
|
|
5
5
|
"license": "BUSL-1.1",
|
|
6
6
|
"repository": {
|
|
@@ -44,11 +44,11 @@
|
|
|
44
44
|
"node": ">=16"
|
|
45
45
|
},
|
|
46
46
|
"optionalDependencies": {
|
|
47
|
-
"@waftester/darwin-x64": "2.9.
|
|
48
|
-
"@waftester/darwin-arm64": "2.9.
|
|
49
|
-
"@waftester/linux-x64": "2.9.
|
|
50
|
-
"@waftester/linux-arm64": "2.9.
|
|
51
|
-
"@waftester/win32-x64": "2.9.
|
|
52
|
-
"@waftester/win32-arm64": "2.9.
|
|
47
|
+
"@waftester/darwin-x64": "2.9.40",
|
|
48
|
+
"@waftester/darwin-arm64": "2.9.40",
|
|
49
|
+
"@waftester/linux-x64": "2.9.40",
|
|
50
|
+
"@waftester/linux-arm64": "2.9.40",
|
|
51
|
+
"@waftester/win32-x64": "2.9.40",
|
|
52
|
+
"@waftester/win32-arm64": "2.9.40"
|
|
53
53
|
}
|
|
54
54
|
}
|