WhatWeb
WhatWeb is a Ruby-based web application scanner that identifies websites, technologies, and versions by analyzing HTTP responses and server behavior. It offers 1800+ plugins with configurable aggression levels ranging from single-request scans to heavy multi-request analysis, suitable for reconnaissance and penetration testing.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | urbanadventurer/WhatWeb |
| Owner | urbanadventurer |
| Primary language | Ruby |
| License | GPL-2.0 — OSI-approved |
| Stars | 6.7k |
| Forks | 996 |
| Open issues | 51 |
| Latest release | v0.6.4 (2026-04-02) |
| Last updated | 2026-04-02 |
| Source | https://github.com/urbanadventurer/WhatWeb |
What WhatWeb is
WhatWeb performs passive and active fingerprinting of web technologies via HTTP headers, HTML content analysis, favicon hashing, and probing. It supports proxy routing (including Tor), custom headers, basic auth, multiple output formats (JSON, XML, MongoDB, ElasticSearch), and CIDR/IP range scanning. Aggression levels (1–4) control request volume and detection depth.
Get the WhatWeb source
Clone the repository and explore it locally.
git clone https://github.com/urbanadventurer/WhatWeb.gitcd WhatWeb# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Ruby runtime required. Verify Ruby version compatibility and gem dependency resolution in your environment; Docker containers recommended for isolation.
- Plugin architecture is extensible but requires Ruby knowledge to write custom detection rules. Default 1800+ plugin set may be sufficient for most targets.
- Proxy configuration (HTTP, HTTPS, Tor) should be tested before scanning production-adjacent networks to avoid traffic leakage.
- Output format selection (JSON/XML/MongoDB/ElasticSearch) depends on downstream log aggregation and SIEM integration requirements.
- High thread counts (>100) can degrade performance without `--no-cookies` flag; balance concurrency with target rate-limiting and IDS sensitivity.
When to avoid it — and what to weigh
- Production Vulnerability Scanning — WhatWeb is a fingerprinting and reconnaissance tool, not a vulnerability scanner. It does not execute exploits or assess exploitability. Use dedicated scanners (e.g., Nessus, Qualys) for active vulnerability assessment.
- Scanning Targets Without Authorization — GPL-2.0 license and tool design do not provide legal cover for unauthorized access testing. Misuse may violate computer fraud and abuse statutes. Ensure explicit written authorization before use.
- Minimal Internet Connectivity or Air-Gapped Environments — WhatWeb requires live HTTP(S) connectivity to targets. It cannot operate on offline artifacts or in fully isolated networks without proxy setup.
- Zero-Day or Rapid Patch Validation — Plugin maintenance depends on community contribution. Response time to new technologies or CVE-specific detection rules is not guaranteed and lags behind commercial tools.
License & commercial use
Licensed under GNU General Public License v2.0 (GPLv2). Source code is public and copyleft; any modifications or derivative works must be released under GPLv2. Original authors are Andrew Horton (urbanadventurer) and Brendan Coles (bcoles).
GPLv2 permits commercial use (including by consultants and security firms), but any customizations or bundled derivative tools must also be released under GPLv2 or include source availability. Internal business use (e.g., scanning your own infrastructure) requires no disclosure. Use without modification is unencumbered for commercial purposes. **Requires legal review** if incorporating WhatWeb into a proprietary tool or SaaS offering.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Possible |
| Assessment confidence | High |
WhatWeb is a reconnaissance tool and does not execute payload-bearing requests or exploit code injection. Security posture considerations: (1) SSL/TLS validation should be verified when scanning HTTPS targets to prevent MITM attacks in untrusted networks; (2) cookie handling and stored credentials (basic auth, proxy passwords) should be protected at rest and in memory; (3) output logs may contain sensitive headers, emails, or account identifiers—treat log files as sensitive; (4) use in authenticated/closed networks preferred to prevent IP enumeration or rate-limiting triggers; (5) source code is public, reducing hidden malware risk but requiring trust in maintainers. No formal security audit or CVE history available in data.
Alternatives to consider
Wappalyzer
Browser-based and lightweight; detects similar tech stack with <100 plugins. Faster for small-scale scanning but less depth. Freemium SaaS model; less suitable for CLI automation at scale.
BuiltWith
Commercial SaaS with curated tech database and domain intelligence. Better for competitive analysis and bulk lookups but expensive and closed-source. No CLI or local deployment option.
Shodan
Internet-wide search engine for metadata and banner grabbing. Complements local scanning by querying passive intelligence. Requires API key and credit consumption; not a local scanner.
Build on WhatWeb with DEV.co software developers
WhatWeb accelerates reconnaissance and technology enumeration for penetration testing and security audits. Start with stealthy mode, scale with aggressive scanning. Free and open-source.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
WhatWeb FAQ
Is WhatWeb a vulnerability scanner?
Can I scan without authorization?
What is the difference between aggression levels?
Can I integrate WhatWeb with my SIEM?
Software development & web development with DEV.co
From first prototype to production, DEV.co delivers software development services around tools like WhatWeb. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.
Ready to Map Your Web Stack?
WhatWeb accelerates reconnaissance and technology enumeration for penetration testing and security audits. Start with stealthy mode, scale with aggressive scanning. Free and open-source.