DEV.co
Open-Source Security · urbanadventurer

WhatWeb

WhatWeb is a Ruby-based web application scanner that identifies websites, technologies, and versions by analyzing HTTP responses and server behavior. It offers 1800+ plugins with configurable aggression levels ranging from single-request scans to heavy multi-request analysis, suitable for reconnaissance and penetration testing.

Source: GitHub — github.com/urbanadventurer/WhatWeb
6.7k
GitHub stars
996
Forks
Ruby
Primary language
GPL-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryurbanadventurer/WhatWeb
Ownerurbanadventurer
Primary languageRuby
LicenseGPL-2.0 — OSI-approved
Stars6.7k
Forks996
Open issues51
Latest releasev0.6.4 (2026-04-02)
Last updated2026-04-02
Sourcehttps://github.com/urbanadventurer/WhatWeb

What WhatWeb is

WhatWeb performs passive and active fingerprinting of web technologies via HTTP headers, HTML content analysis, favicon hashing, and probing. It supports proxy routing (including Tor), custom headers, basic auth, multiple output formats (JSON, XML, MongoDB, ElasticSearch), and CIDR/IP range scanning. Aggression levels (1–4) control request volume and detection depth.

Quickstart

Get the WhatWeb source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/urbanadventurer/WhatWeb.gitcd WhatWeb# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Penetration Testing and Security Assessments

Primary use case. Multiple aggression levels and 1800+ plugins enable thorough technology enumeration during authorized security assessments. Output formats integrate with reporting tools and SIEM platforms.

Reconnaissance for Bug Bounty Programs

Low-aggression stealthy mode enables single-request scans across multiple targets without triggering alerting systems. Useful for mapping attack surfaces before deeper testing.

Large-Scale Technology Inventory

Concurrent scanning with configurable thread limits and multiple log formats (JSON, MongoDB, ElasticSearch) support bulk asset discovery and tech stack profiling at organizational scale.

Implementation considerations

  • Ruby runtime required. Verify Ruby version compatibility and gem dependency resolution in your environment; Docker containers recommended for isolation.
  • Plugin architecture is extensible but requires Ruby knowledge to write custom detection rules. Default 1800+ plugin set may be sufficient for most targets.
  • Proxy configuration (HTTP, HTTPS, Tor) should be tested before scanning production-adjacent networks to avoid traffic leakage.
  • Output format selection (JSON/XML/MongoDB/ElasticSearch) depends on downstream log aggregation and SIEM integration requirements.
  • High thread counts (>100) can degrade performance without `--no-cookies` flag; balance concurrency with target rate-limiting and IDS sensitivity.

When to avoid it — and what to weigh

  • Production Vulnerability Scanning — WhatWeb is a fingerprinting and reconnaissance tool, not a vulnerability scanner. It does not execute exploits or assess exploitability. Use dedicated scanners (e.g., Nessus, Qualys) for active vulnerability assessment.
  • Scanning Targets Without Authorization — GPL-2.0 license and tool design do not provide legal cover for unauthorized access testing. Misuse may violate computer fraud and abuse statutes. Ensure explicit written authorization before use.
  • Minimal Internet Connectivity or Air-Gapped Environments — WhatWeb requires live HTTP(S) connectivity to targets. It cannot operate on offline artifacts or in fully isolated networks without proxy setup.
  • Zero-Day or Rapid Patch Validation — Plugin maintenance depends on community contribution. Response time to new technologies or CVE-specific detection rules is not guaranteed and lags behind commercial tools.

License & commercial use

Licensed under GNU General Public License v2.0 (GPLv2). Source code is public and copyleft; any modifications or derivative works must be released under GPLv2. Original authors are Andrew Horton (urbanadventurer) and Brendan Coles (bcoles).

GPLv2 permits commercial use (including by consultants and security firms), but any customizations or bundled derivative tools must also be released under GPLv2 or include source availability. Internal business use (e.g., scanning your own infrastructure) requires no disclosure. Use without modification is unencumbered for commercial purposes. **Requires legal review** if incorporating WhatWeb into a proprietary tool or SaaS offering.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitPossible
Assessment confidenceHigh
Security considerations

WhatWeb is a reconnaissance tool and does not execute payload-bearing requests or exploit code injection. Security posture considerations: (1) SSL/TLS validation should be verified when scanning HTTPS targets to prevent MITM attacks in untrusted networks; (2) cookie handling and stored credentials (basic auth, proxy passwords) should be protected at rest and in memory; (3) output logs may contain sensitive headers, emails, or account identifiers—treat log files as sensitive; (4) use in authenticated/closed networks preferred to prevent IP enumeration or rate-limiting triggers; (5) source code is public, reducing hidden malware risk but requiring trust in maintainers. No formal security audit or CVE history available in data.

Alternatives to consider

Wappalyzer

Browser-based and lightweight; detects similar tech stack with <100 plugins. Faster for small-scale scanning but less depth. Freemium SaaS model; less suitable for CLI automation at scale.

BuiltWith

Commercial SaaS with curated tech database and domain intelligence. Better for competitive analysis and bulk lookups but expensive and closed-source. No CLI or local deployment option.

Shodan

Internet-wide search engine for metadata and banner grabbing. Complements local scanning by querying passive intelligence. Requires API key and credit consumption; not a local scanner.

Software development agency

Build on WhatWeb with DEV.co software developers

WhatWeb accelerates reconnaissance and technology enumeration for penetration testing and security audits. Start with stealthy mode, scale with aggressive scanning. Free and open-source.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

WhatWeb FAQ

Is WhatWeb a vulnerability scanner?
No. WhatWeb identifies web technologies and versions (fingerprinting). It does not test for or exploit vulnerabilities. Use Nessus, Qualys, or Burp Suite for vulnerability assessment.
Can I scan without authorization?
Legally, no. Authorization must be explicit and in writing. WhatWeb's GPL-2.0 license does not provide legal cover for unauthorized testing. Violators may face criminal or civil liability under computer fraud statutes.
What is the difference between aggression levels?
Level 1 (stealthy): 1 HTTP request per target, fast, suitable for public reconnaissance. Level 3 (aggressive): Additional requests if level-1 plugins match. Level 4 (heavy): Many requests per target, reliable but slow. Choose based on stealth vs. accuracy trade-off.
Can I integrate WhatWeb with my SIEM?
Yes. WhatWeb outputs JSON, XML, MongoDB, ElasticSearch, and SQL formats natively. Parse JSON output and ingest into your SIEM or log aggregator via scripts. No native API available.

Software development & web development with DEV.co

From first prototype to production, DEV.co delivers software development services around tools like WhatWeb. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.

Ready to Map Your Web Stack?

WhatWeb accelerates reconnaissance and technology enumeration for penetration testing and security audits. Start with stealthy mode, scale with aggressive scanning. Free and open-source.