WhatWeb Cheat Sheet

Web technology fingerprinter identifying CMS, frameworks, plugins, and server headers.

Scanning & EnumerationcmsfingerprintwebUpdated 2026-06-02

Overview

WhatWeb identifies technologies behind websites (CMS, JavaScript libraries, web servers, analytics, etc.) using signatures, headers, and content patterns. Use early in web assessments to prioritize manual testing and exploit research.

Authorized testing only. Aggressive modes send more requests; use only on in-scope targets.

Install

sudo apt install -y whatweb

whatweb --version

Essential commands

Basic scan

whatweb https://target.example.com

Verbose plugins

whatweb -v https://target.example.com

Multiple targets

whatweb -i urls.txt

Aggressive (more requests, deeper)

whatweb -a 3 https://target.example.com

Common workflows

Bulk fingerprint after httpx —

httpx -l subs.txt -silent -o urls.txt

whatweb -i urls.txt --log-brief=whatweb.log

JSON output for reporting —

whatweb https://target.example.com --log-json=out.json

Proxy through Burp —

whatweb https://target.example.com --proxy 127.0.0.1:8080

Custom user-agent and auth —

whatweb -U "Mozilla/5.0 ..." --header "Cookie: session=abc" https://target.example.com

Flags reference

`-i`	Input file of URLs
`-a`	Aggression level 1–4
`-v / -q`	Verbose / quiet
`--log-json`	JSON log file
`--log-brief`	Brief log file
`--proxy`	HTTP proxy host:port
`-U`	User-Agent
`--header`	Custom HTTP header
`--follow-redirect`	Follow redirects
`-t`	Thread count

Tips

Level -a 3 or -a 4 is noisy—confirm with RoE on production.
Cross-check results with httpx -tech-detect and manual Burp review.
Log formats (--log-json) integrate well into note-taking and reports.
Some plugins trigger IDS; throttle with -t on sensitive targets.