PromptHub
Developer Tools Cybersecurity

Stop Guessing What's Under the Hood: WhatWeb Exposes Every Website's Secrets

B

Bright Coding

Author

13 min read
35 views
Stop Guessing What's Under the Hood: WhatWeb Exposes Every Website's Secrets

Stop Guessing What's Under the Hood: WhatWeb Exposes Every Website's Secrets

You've been there. Staring at a website, wondering what's actually powering it. Is that slick portfolio running WordPress with a custom theme? Does that enterprise portal hide behind Cloudflare with a vulnerable Apache version? Manual reconnaissance is exhausting—viewing source, hunting for generator meta tags, checking response headers like some digital archaeologist with a magnifying glass. What if you could fingerprint every technology stack in seconds?

Enter WhatWeb, the next generation web scanner that's quietly become the secret weapon of penetration testers, security researchers, and curious developers worldwide. With over 1,824 plugins and the ability to identify everything from obscure CMS platforms to embedded IoT devices, WhatWeb doesn't just guess—it knows. Whether you're conducting legitimate security assessments, competitive analysis, or simply satisfying your technical curiosity, this tool transforms hours of manual investigation into milliseconds of automated precision.

Ready to see what you've been missing? Let's dive deep into why top security professionals are abandoning manual reconnaissance for this powerhouse scanner.


What is WhatWeb?

WhatWeb is an open-source web technology fingerprinting scanner developed by Andrew Horton (@urbanadventurer) and Brendan Coles (@bcoles). Born from the trenches of penetration testing and security research, WhatWeb exists to answer one deceptively simple question: "What is that Website?"

The project traces its roots back to Kiwicon III in 2009, where version 0.3 made its public debut. Since then, it has evolved through 16 major releases to become the current version 0.6.4 (released April 3, 2026)—a mature, battle-tested tool that ships with 1,824 detection plugins and counting. Licensed under GPLv2, WhatWeb represents one of the most comprehensive open-source efforts in web reconnaissance technology.

What makes WhatWeb genuinely "next generation" isn't just its plugin count—it's the philosophy of adaptive intelligence. Unlike simplistic banner-grabbing tools, WhatWeb employs multi-vector fingerprinting: it analyzes HTTP headers, HTML content, JavaScript artifacts, cookie patterns, favicon hashes, URL structures, and even subtle behavioral cues. When a single request isn't enough, WhatWeb escalates its investigation through configurable aggression levels, balancing the eternal trade-off between stealth and thoroughness.

The tool has gained particular traction in the cybersecurity community because it solves a genuine pain point: modern web stacks are increasingly opaque. Cloudflare masks servers, JavaScript frameworks render client-side, and developers deliberately obfuscate their technology choices. WhatWeb cuts through this noise with surgical precision, making it indispensable for bug bounty hunters, red team operators, and defensive auditors alike.


Key Features That Separate WhatWeb from the Pack

WhatWeb isn't merely a scanner—it's a complete reconnaissance ecosystem. Here's what makes it technically superior:

Massive Plugin Architecture (1,824+ Plugins)

Each plugin is a specialized detection module written in Ruby, targeting specific technologies. The WordPress plugin alone contains 15+ distinct tests, checking everything from generator meta tags to /wp-content/ path patterns, favicon hashes, and login page characteristics. This redundancy means evasion is nearly impossible—remove one identifier, and others still trigger.

Four-Tier Aggression System

WhatWeb uniquely lets you control operational intensity:

  • Level 1 (Stealthy): Single HTTP request per target—perfect for external assessments where noise matters
  • Level 3 (Aggressive): Triggered follow-up requests only when initial plugins match, enabling version-specific detection
  • Level 4 (Heavy): Maximum interrogation, firing all aggressive tests against all targets

Intelligent Performance Optimization

WhatWeb automatically tunes output buffering based on thread count:

  • Low threads (1-5): Synchronous output for real-time monitoring
  • Medium threads (6-50): Async I/O with 10-result buffers
  • High threads (51+): Large buffers minimizing system call overhead

Enterprise-Grade Output Formats

Beyond human-readable output, WhatWeb exports to JSON, XML, SQL, MongoDB, ElasticSearch, MagicTree, and Ruby objects. This isn't convenience—it's pipeline integration for automated security workflows and SIEM correlation.

Advanced Network Capabilities

  • Dual-protocol scanning: Automatically tests both HTTP and HTTPS for simple hostnames
  • Proxy support including TOR: Route through anonymization networks
  • Custom HTTP headers and authentication: Bypass basic auth, inject session cookies, modify user-agents to evade Snort IDS rules
  • IDN support: Handle internationalized domain names natively

Custom Plugin Development

Define detection logic on the command line without writing files:

whatweb --custom-plugin=":text=>'powered by abc'" target.com

Real-World Use Cases Where WhatWeb Dominates

1. Penetration Testing Reconnaissance

Before exploiting, you must understand. WhatWeb rapidly maps a target's attack surface—identifying outdated WordPress installations with known CVEs, exposed Apache Tomcat management interfaces, or development frameworks with default credentials. The stealthy mode lets you conduct initial reconnaissance without triggering IDS alerts.

2. Bug Bounty Hunting at Scale

Successful bug bounty programs require efficient target enumeration. WhatWeb's CIDR range support and high-thread scanning let you assess thousands of subdomains overnight. Log to JSON, pipe into vulnerability scanners, and prioritize targets with outdated technology stacks. One hunter reported tripling their valid submission rate after integrating WhatWeb into their automation pipeline.

3. Competitive Intelligence & Market Research

Technology choices reveal strategic decisions. Marketing agencies use WhatWeb to analyze competitor technology adoption—who migrated to Next.js, who's still on legacy PHP, which e-commerce platforms dominate specific industries. The MongoDB and ElasticSearch logging enables large-scale trend analysis across millions of sites.

4. Incident Response & Threat Hunting

During active intrusions, identifying compromised infrastructure's technology stack accelerates containment. WhatWeb quickly fingerprints attacker-controlled domains, revealing if they're using predictable hosting platforms, shared CMS instances, or custom-built command-and-control infrastructure.

5. DevSecOps & Continuous Monitoring

Integrate WhatWeb into CI/CD pipelines to detect shadow IT and configuration drift. Unexpected technology appearances in your own infrastructure often signal unauthorized deployments or compromised accounts.


Step-by-Step Installation & Setup Guide

Prerequisites

WhatWeb requires Ruby (2.5+ recommended) and standard development tools. Most Linux distributions include suitable versions.

Installation from Source (Recommended)

# Clone the repository
git clone https://github.com/urbanadventurer/WhatWeb.git
cd WhatWeb

# Install core dependencies
bundle install

# Verify installation
./whatweb --version

Installing Optional Dependencies

For full functionality including MongoDB logging and character set detection:

# MongoDB support
bundle install --with mongo

# Character set detection (required for JSON/MongoDB logging)
bundle install --with rchardet

# Install everything at once
bundle install --with mongo rchardet

# Copy charset plugin from disabled folder
cp plugins-disabled/charset.rb my-plugins/

System-Wide Installation

# Create symbolic link for global access
sudo ln -s $(pwd)/whatweb /usr/local/bin/whatweb

# Or install via package manager where available
# Debian/Ubuntu: sudo apt-get install whatweb
# Kali Linux: pre-installed

Performance Profiling Setup (Optional)

# Install ruby-prof for bottleneck analysis
gem install ruby-prof

# Enable profiling via environment variable
export WHATWEB_PROFILE=1

Basic Configuration

Create a shell alias for common options:

# Add to ~/.bashrc or ~/.zshrc
alias whatweb-stealth='whatweb -a 1 --no-errors'
alias whatweb-aggressive='whatweb -a 3 -v'

REAL Code Examples from WhatWeb

Let's examine actual usage patterns from the repository, with detailed explanations of what happens under the hood.

Example 1: Basic Website Scanning

The simplest possible invocation—yet remarkably powerful:

$ ./whatweb reddit.com

Output:

http://reddit.com [301 Moved Permanently] Country[UNITED STATES][US], HTTPServer[snooserv], IP[151.101.65.140], RedirectLocation[https://www.reddit.com/], UncommonHeaders[retry-after,x-served-by,x-cache-hits,x-timer], Via-Proxy[1.1 varnish]
https://www.reddit.com/ [200 OK] Cookies[edgebucket,eu_cookie_v2,loid,rabt,rseor3,session_tracker,token], Country[UNITED STATES][US], Email[banner@2x.png,snoo-home@2x.png], Frame, HTML5, HTTPServer[snooserv], HttpOnly[token], IP[151.101.37.140], Open-Graph-Protocol[website], Script[text/javascript], Strict-Transport-Security[max-age=15552000; includeSubDomains; preload], Title[reddit: the front page of the internet], UncommonHeaders[fastly-restarts,x-served-by,x-cache-hits,x-timer], Via-Proxy[1.1 varnish], X-Frame-Options[SAMEORIGIN]

What's happening here? WhatWeb automatically follows the HTTP→HTTPS redirect, then extracts 18 distinct data points from two requests. Notice how it identifies:

  • Infrastructure: Fastly CDN (via x-served-by, x-cache-hits), Varnish proxy
  • Security headers: HSTS with preload, X-Frame-Options
  • Application behavior: Multiple session cookies, Open Graph protocol usage
  • Geolocation: IP geolocation to US

The snooserv server identification isn't standard Apache/Nginx—it's Reddit's custom server naming, demonstrating WhatWeb's ability to fingerprint non-standard implementations.


Example 2: Aggressive Version Detection

When stealth isn't enough, escalate to extract precise version information:

# Level 3 aggressive scan targeting WordPress version specifically
$ ./whatweb -a 3 www.wired.com

Compare this to a stealthy scan of a phpBB forum:

# Level 1: Basic identification
$ ./whatweb smartor.is-root.com/forum/
http://smartor.is-root.com/forum/ [200] PasswordField[password], HTTPServer[Apache/2.2.15], PoweredBy[phpBB], Apache[2.2.15], IP[88.198.177.36], phpBB[2], PHP[5.2.13], X-Powered-By[PHP/5.2.13], Cookies[phpbb2mysql_data,phpbb2mysql_sid], Title[Smartors Mods Forums - Reloaded], Country[GERMANY][DE]
# Level 3: Precise version with plugin-specific targeting
$ ./whatweb -p plugins/phpbb.rb -a 3 smartor.is-root.com/forum/
http://smartor.is-root.com/forum/ [200] phpBB[2,>2.0.20]

Critical insight: The -p plugins/phpbb.rb restriction is deliberately stealthy. By loading only the phpBB plugin, WhatWeb minimizes request volume while maximizing precision. The [2,>2.0.20] output reveals version range inference—the aggressive tests confirmed it's phpBB 2.x, specifically 2.0.20 or newer, likely through signature analysis of template files or JavaScript assets that changed in that release.


Example 3: Network Range Scanning with Custom Prefix

Enterprise and internal assessments require efficient network coverage:

# Scan local network for HTTPS services, suppressing error noise
$ whatweb --no-errors --url-prefix https:// 192.168.0.0/24

Why this matters: The --url-prefix transforms every IP in the CIDR range into an HTTPS URL. Without this, WhatWeb would default to HTTP. Combined with --no-errors, you get clean output even when most IPs have no web service. For large ranges, pre-scan with masscan:

# Discover open ports first, then fingerprint
masscan 192.168.0.0/24 -p80,443 --rate 1000 | awk '{print $6}' > live-hosts.txt
whatweb -i live-hosts.txt --no-errors

Example 4: Custom Plugin Definition

When no existing plugin targets your specific interest, define detection inline:

# Detect custom string patterns
$ ./whatweb --custom-plugin=":text=>'powered by abc'" target.com

# Version extraction via regex
$ ./whatweb --custom-plugin=":version=>/powered[ ]?by ab[0-9]/" target.com

# Google Hacking Database query integration
$ ./whatweb --custom-plugin=":ghdb=>'intitle:abc \"powered by abc\"'" target.com

# MD5 hash matching for specific files
$ ./whatweb --custom-plugin=":md5=>'8666257030b94d3bdb46e05945f60b42'" target.com

Technical breakdown: Each --custom-plugin creates an anonymous plugin instance. The :text key performs literal string matching; :version uses Ruby regex capture; :ghdb leverages Google's indexed dorks for confirmation; :md5 compares file hash signatures. This declarative approach requires zero Ruby knowledge for basic detection logic.


Example 5: Production Logging Pipeline

For integration with modern security stacks:

# Simultaneous multi-format output with performance tuning
$ ./whatweb -t 100 \
  --log-json=results.json \
  --log-brief=results.txt \
  --log-elastic-index=whatweb-prod \
  --log-elastic-host=es.internal:9200 \
  --output-buffer-size=50 \
  -i massive-target-list.txt

Architecture note: The -t 100 threads with --output-buffer-size=50 optimizes for throughput over latency. JSON feeds into Splunk/Elastic; brief format enables grep emergencies; ElasticSearch integration supports real-time Kibana dashboards. This single command replaces entire commercial reconnaissance suites.


Advanced Usage & Best Practices

IDS Evasion Techniques

  • Rotate user-agents: --user-agent "Mozilla/5.0..." avoids Snort WhatWeb signatures
  • Implement request throttling: --wait=2 with single threads mimics human browsing
  • Leverage TOR: --proxy 127.0.0.1:9050 routes through anonymization

Performance Optimization

  • Disable cookies for high-speed scans: --no-cookies eliminates session overhead
  • Profile before scaling: WHATWEB_PROFILE=1 identifies bottlenecks
  • Match buffer size to thread count: 25+ threads need 25+ buffer sizes

Accuracy Maximization

  • Select specific plugins in aggressive mode rather than running all
  • Combine with --output-sync for real-time monitoring during sensitive operations
  • Use --follow-redirect=never when investigating redirect chains for anomalies

Plugin Development

Study the my-plugins/ directory tutorials, then examine existing plugins in plugins/. The simplest plugin requires only pattern definitions; complex ones implement Ruby methods for dynamic detection. Community contributions drive the 1,824+ plugin count—your detection logic could benefit thousands.


Comparison with Alternatives

Feature WhatWeb Wappalyzer BuiltWith Nmap http-enum
Open Source ✅ GPLv2 ❌ (CLI limited) ❌ Commercial ✅ GPLv2
Plugin Count 1,824+ ~3,000 (closed) Proprietary ~100
Custom Plugins ✅ Ruby + CLI inline ✅ Lua
Aggression Levels 4-tier control ❌ Passive only ❌ Passive only Single mode
Output Formats 10+ including DBs JSON, CSV API/Reports Nmap XML
Proxy/TOR Support ✅ Native ✅ Via Nmap
Performance Tuning Auto + Manual Limited N/A Manual
Version Detection ✅ Aggressive probes Passive inference Passive inference Limited
Network Range Scanning ✅ CIDR native ✅ Via Nmap
Cost Free Freemium $295+/mo Free

Why WhatWeb wins: While Wappalyzer offers more total detections, its closed ecosystem prevents customization. BuiltWith's passive approach misses version-specific vulnerabilities. Nmap's http-enum lacks WhatWeb's sophistication. Only WhatWeb combines open extensibility, active verification, and enterprise integration at zero cost.


Frequently Asked Questions

Is WhatWeb legal to use?

WhatWeb is legal for authorized security testing, research, and your own infrastructure. Always obtain proper authorization before scanning third-party systems. Unauthorized scanning may violate computer fraud laws and terms of service.

How does WhatWeb differ from vulnerability scanners?

WhatWeb is purely a fingerprinting tool—it identifies technologies but doesn't exploit them. It pairs excellently with vulnerability scanners: WhatWeb identifies what's running; scanners like Nessus or OpenVAS check for known CVEs.

Can WhatWeb be detected by target systems?

Yes, but stealth options minimize detection. Change the user-agent, reduce thread count, add delays between requests, and use TOR proxying. However, any active scanning carries detection risk—factor this into operational security planning.

Why are some plugins in plugins-disabled/?

Disabled plugins typically require additional dependencies (like rchardet for charset detection) or perform slower operations. Enable selectively based on your needs rather than globally.

How do I contribute new detection plugins?

Fork the GitHub repository, create plugins following the my-plugins/ tutorials, and submit pull requests. The maintainers actively merge quality contributions.

What's the performance impact of JSON/MongoDB logging?

Character set detection (required for these formats) dramatically decreases performance due to CPU-intensive encoding analysis. For high-speed scanning, use brief or verbose formats; enable JSON/MongoDB only when pipeline integration justifies the throughput cost.

Does WhatWeb work against heavily obfuscated sites?

WhatWeb's multi-vector approach often succeeds where single-method tools fail. However, sites using extreme obfuscation (WASM rendering, encrypted payloads) may require manual analysis or browser-based tools as supplements.


Conclusion: Your Reconnaissance Revolution Starts Now

Manual technology identification is dead. In an era where cloud infrastructure, JavaScript frameworks, and deliberate obfuscation hide the truth, WhatWeb delivers uncompromising clarity through intelligent automation. With 1,824 plugins, four aggression tiers, and output formats feeding directly into modern security pipelines, it transforms reconnaissance from tedious guesswork into strategic advantage.

I've watched security professionals waste hours on manual source analysis when a single WhatWeb command would have exposed the entire stack in seconds. The tool's active community, constant plugin updates, and zero cost make it not just the smart choice, but the only rational choice for serious web reconnaissance.

Stop guessing. Start knowing.

👉 Download WhatWeb from GitHub — clone it today, run your first scan, and join the thousands of professionals who've made it their reconnaissance backbone. The next generation of web scanning isn't coming. It's already here, and it's waiting for you.


Have questions or want to share your WhatWeb success stories? Drop a comment below or reach out on Twitter. Happy scanning!

Comments (0)

Comments are moderated before appearing.

No comments yet. Be the first to share your thoughts!

Support us! ☕