Browser Browser

Сканирование

Новый скан Мониторы

Инструменты

My IP DNS Lookup WHOIS SSL Certificate Ping HTTP Headers Domain Check IP Calculator IDN Converter Reverse DNS Schema Generator TAS-IX Трассировка

Сервисы

Массовый скан Хостинг Отчёт CSEC Дефейс

Разведка

Армия AI-агентов Конкуренты Граф CVE Страхование Репутация

SEO

AI Blog GitHub SEO Site Audit Site Compare Traffic Analytics

Ещё

Все функции Документация Цены
Начать бесплатно
SAFE PROBES · OWASP CRS · 3 LANGUAGES

Does your WAF actually block attacks?

Probe your firewall (Cloudflare, AWS WAF, ModSecurity, Imperva, Akamai…) with 50+ safe OWASP CRS-style payloads. Get a coverage % score, find which rule categories have gaps, and export a Markdown report for your CFO/CISO.

Read-only · No exploits Detects 25+ WAF brands ~20 seconds Markdown export
Run a free test How it works
browser.uz/waf-coverage · target: shop.example.com
SAMPLE
75%
Coverage

shop.example.com

Cloudflare WAF detected · 24 probes · 18 blocked · 6 passed

B
SQLi
4/4 ✓
XSS
3/4 ⚠
RCE
4/4 ✓
LFI
2/4 ⚠
SSRF
1/4 ✗
XXE
4/4 ✓

RECOMMENDATIONS

SSRF: 3/4 payloads passed through. Enable OWASP CRS rule group 934.
LFI: 2/4 payloads passed. Enable rule 932160.

Three reasons people pay for this

A WAF that's never tested is just a checkbox. Coverage data is the only thing that proves it works.

CFO ROI proof

"We pay $40K/year for Cloudflare Pro WAF — what does it actually block?" Coverage % answers that, in one number for your board deck.

VC due-diligence

Target says "we have a WAF". Run our test. If 60%+ payloads pass through — they bought a $5K product, not protection. Add it as deal condition.

DevOps tuning

ModSecurity has 250 rules — which to enable? Run baseline, enable rule, re-run. Watch coverage % climb. Data-driven tuning, not guesses.

7 attack categories we probe

Each category sends 2-6 detection patterns shaped like real attacks — but harmless if echoed.

SQLi
Single-quote tautology, UNION SELECT, comment bypass, stacked queries — across MySQL/PostgreSQL/MSSQL dialects.
XSS
script tags, img onerror, javascript: scheme, svg onload, iframe srcdoc, URL-encoded variants.
RCE
Command chains (;|), backtick exec, $() subshells, Powershell encoded, Perl system().
LFI
../etc/passwd, encoded traversal (..%2f), Windows path, null byte, double encoding, php:// wrappers.
SSRF
AWS metadata (169.254.169.254), localhost, internal range, file://, gopher://, 0.0.0.0 alias.
XXE
External entity file://, parameter entity, SVG XXE, DOCTYPE-only attacks.
DESERIAL
Java serialized headers, PHP O:8:"stdClass", Python pickle, .NET BinaryFormatter signatures.
+WAF DETECT
Identifies which WAF is in front of your site (25+ vendors) by header/cookie/server signatures.

25+ WAF brands detected

Identified by header / cookie / server-banner signatures.

Cloudflare AWS WAF Akamai Imperva Sucuri F5 BIG-IP Wordfence ModSecurity Fastly Azure WAF Google Cloud Armor Barracuda Citrix NetScaler FortiWeb Radware Wallarm BunkerWeb StackPath Reblaze DataDome PerimeterX Distil Networks Turnstile hCaptcha reCAPTCHA

Run a test on your own site

Free for the first test. ~20 seconds. Markdown export ready for your security team.

Run free test
Ethics: probes are detection patterns shaped like real attacks but harmless if echoed by your application. They do not exploit vulnerabilities. No DoS, no brute-force, no lateral movement. Test only your own or authorised targets — same legal posture as any external WAF tuning exercise.