GoTestWAF: Open-source project for evaluating web application security solutions

GoTestWAF is a tool for API and OWASP attack simulation that supports a wide range of API protocols including REST, GraphQL, gRPC, WebSockets, SOAP, XMLRPC, etc. It was designed to evaluate web application security solutions, such as API security proxies, web application firewalls, IPS, API gateways, and others.


“We created GoTestWAF to help the security community evaluate the level of API and application security controls they applied,” Ivan Novikov, CEO at Wallarm, told Help Net Security. “As far as the future goes, we have a lot of plans, including introducing daemon mode for CI/CD automation required by users, extends GraphQL support, introduce for configuration options and API scanning based on Swagger/OpenAPI specs.”

How GoTestWAF works

The tool generates malicious requests using encoded payloads placed in different parts of HTTP requests: its body, headers, URL parameters, etc.

Generated requests are sent to the application security solution URL specified during GoTestWAF launch. The results of the security solution evaluation are recorded in the report file created on your machine.


Report file example


  • GoTestWAF supports all the popular operating systems (Linux, Windows, macOS), and can be built natively if Go is installed in the system.
  • If running the tool as the Docker container, please ensure you have installed and configured Docker, and GoTestWAF and evaluated application security solution are connected to the same Docker network.
  • For GoTestWAF to be successfully started, please ensure the IP address of the machine running GoTestWAF is whitelisted on the machine running the application security solution.

GoTestWAF is available for free download on GitHub.

Don't miss