WAF detection works by sending specific requests to servers and then analyzing the response; for example, in the case of http-waf-detect, it sends some basic malicious packets and compares the responses while looking for an indicator that a packet was blocked, refused, or detected. The same occurs with http-waf-fingerprint, but this script also tries to interpret that response and classify it according to known patterns of various IDSs and WAFs. The same applies to wafw00f.