GoTestWAF: Open Source Web Application Security Solutions Assessment Project


GoTestWAF is an API and OWASP attack simulation tool that supports a wide range of API protocols including REST, GraphQL, gRPC, WebSockets, SOAP, XMLRPC, etc. It has been designed to evaluate web application security solutions, such as API security proxies, web application firewalls, IPS, API gateways, and others.

“We created GoTestWAF to help the security community assess the level of API and application security controls they have applied.” Ivan Novikov, CEO of Wallarm, told Help Net Security. “Looking ahead, we have a lot of plans, including introducing daemon mode for user-required CI / CD automation, expanding support for GraphQL, introducing API configuration and analysis options based on Swagger / OpenAPI specifications. “

How GoTestWAF Works

The tool generates malicious requests using coded payloads placed in different parts of HTTP requests: its body, headers, URL parameters, etc.

The generated requests are sent to the Application Security Solution URL specified when launching GoTestWAF. The results of the security solution assessment are saved in the report file created on your machine.


Sample report file


  • GoTestWAF supports all popular operating systems (Linux, Windows, macOS) and can be built natively if Go is installed on the system.
  • If you are running the tool as a Docker container, make sure you have Docker installed and configured, and GoTestWAF and the evaluated application security solution are connected to the same Docker network.
  • For GoTestWAF to start successfully, ensure that the IP address of the machine running GoTestWAF is whitelisted on the machine running the Application Security solution.

GoTestWAF is available for free download at GitHub.


Comments are closed.