See WAFio in Action
On a Real Server
This is a live WAFio deployment — not a sandbox, not a mock. A production-grade setup on a VPS in New Jersey protecting a real vulnerable application. Browse the dashboard, fire attacks, watch them get blocked in real time.
What's Running on the Demo Server
The demo server at 153.75.248.105 (Vultr — New Jersey, US) runs the complete WAFio stack on Ubuntu 24.04 LTS. Every component is live and processing real requests.
TimescaleDB · gRPC agent bus
Two URLs, Two Roles
demo.wafio.cloud
OWASP Juice Shop — protected by WAFio WAF
OWASP Juice Shop is the world's most widely-used intentionally vulnerable web application, maintained by OWASP. It contains 100+ real vulnerabilities — SQL injection, XSS, broken authentication, insecure deserialization, and more — all categorized by the OWASP Top 10.
In this demo, Juice Shop sits behind the WAFio WAF agent. Every HTTP request goes through WAFio's detection pipeline before reaching Juice Shop. Try to exploit it — watch WAFio block the attacks in the dashboard.
demo-cp.wafio.cloud
WAFio dashboard — read-only demo access
The WAFio control plane is where you manage projects, WAF agents, firewall rules, and view real-time security events. This demo instance is pre-configured with the Juice Shop project already wired up.
Log in with the demo credentials below to explore the full dashboard — WAF event stream, agent health, blocked requests with full forensic detail, GeoIP map, detection rule tuning, and more. The demo account is read-only.
demo@demo.wafio.cloudDemoView@123!What to Try on demo.wafio.cloud
Fire real attacks against Juice Shop, then check the dashboard at demo-cp.wafio.cloud to see the blocked requests with full forensic detail.
Try classic SQLi on the login form or search bar. WAFio's SQL semantic engine parses the token stream and detects UNION selects, comment stripping, and tautology attacks.
admin'-- 1' OR '1'='1 1 UNION SELECT * FROM Users--Submit XSS payloads in user input fields. WAFio's XSS semantic engine decodes HTML entities, expands protocol obfuscation, and detects script injection regardless of encoding.
<script>alert(1)</script> <img src=x onerror=alert(1)> javascript:alert(document.cookie)Directory traversal attempts are caught by WAFio's LFI semantic engine. It normalizes URL encoding, handles double-encoding (%252e), and detects ../../../etc/passwd patterns across all encoding variants.
../../../../etc/passwd ..%2F..%2F..%2Fetc%2Fpasswd %252e%252e%252fetc%252fpasswdWAFio's CMD semantic engine expands shell variable tricks, $IFS separators, octal escape sequences, and backtick command substitution before evaluating payloads against dangerous command signatures.
; ls -la / | cat /etc/passwd `whoami`WAFio's L7 HTTP flood detection rate-limits clients that exceed the request threshold per time window. Hit the login endpoint repeatedly and watch it start returning 429 responses.
for i in $(seq 1 20); do
curl -s -o /dev/null -w "%{http_code}\n" \
-X POST https://demo.wafio.cloud/rest/user/login \
-H "Content-Type: application/json" \
-d '{"email":"x@x.com","password":"x"}'
doneWAFio detects MongoDB-style operator injection ($where, $gt, $ne) and JSON-based auth bypass attempts. The NoSQL semantic engine parses operator sequences independent of encoding.
{"email":{"$gt":""},"password":{"$gt":""}} {"$where":"1==1"}What You'll See in the Control Plane
After firing some attacks, log into demo-cp.wafio.cloud with the demo credentials to explore the dashboard.
- The demo account is read-only — you cannot modify WAF rules, create agents, or delete resources.
- Juice Shop is intentionally vulnerable by design. Do not enter real personal data or real credentials.
- Attack payloads fired at demo.wafio.cloud will appear in the dashboard within seconds — try it.
- This is a shared environment. Please do not attempt DoS or volumetric flood attacks.
- The demo server resets periodically. Event history may be cleared.
Ready to Deploy Your Own?
WAFio is free. Self-hosted. Runs in under 5 minutes on any Linux server.