GoTestWAF: open-source project for evaluating web application security solutions

GoTestWAF is an API and OWASP attack simulation tool that supports a wide range of API protocols, including REST, GraphQL, gRPC, WebSockets, SOAP, XMLRPC, and more. It was designed to evaluate web application security solutions, such as API security proxies, application firewalls, IPS, API gateways and others.

“We created GoTestWAF to help the security community assess the level of API and application security controls they have applied,” Wallarm CEO Ivan Novikov told Help Net Security. “As for the future, we have a lot of plans, including introducing daemon mode for user-required CI/CD automation, expanding GraphQL support, introducing ‘configuration options and API parsing based on Swagger/OpenAPI specs.’

How GoTestWAF works

The tool generates malicious requests using encoded payloads placed in different parts of HTTP requests: its body, headers, URL parameters, etc.

The generated queries are sent to the application security solution URL specified when launching GoTestWAF. The results of the security solution assessment are saved in the report file created on your machine.


Sample report file


  • GoTestWAF supports all popular operating systems (Linux, Windows, macOS) and can be built natively if Go is installed in the system.
  • If you are running the tool as a Docker container, please make sure that you have installed and configured Docker, and that GoTestWAF and the evaluated application security solution are connected to the same Docker network.
  • For GoTestWAF to start successfully, ensure that the IP address of the machine running GoTestWAF is whitelisted on the machine running the Application Security Solution.

GoTestWAF is available for free download on GitHub.

Comments are closed.