We’re very proud to release WebTech as open-source software.
WebTech is a Python software that can identify web technologies by visiting a given website, parsing a single response file or replaying a request described in a text file. This way you can have reproducible results and minimize the requests you need to make to a target website.
The RECON phase in a Penetration Test is one among the most important ones. By being able to detect which software runs on the target it’s easier to search for vulnerabilities in a specific module or version.
WebTech scans websites and detect software and versions in use and can report data in a structured format like JSON or in a grepable text for later analysis.
We knew that there are already tools doing this, for example Wappalyzer or CERN’s WAD,
but we wanted a modular tool capable of reading Wappalyzer database as well as an user-supplied one, since we often encounter new or custom web-frameworks.
For this reason we developed the detection of uncommon HTTP Headers, which are not in the technologies database yet.
Since during our penetration tests we heavily use Portswigger Burp, we also integrated WebTech in Burp’s passive and active scanners so you can use it directly as a Burp Extension.
The installation process is pretty easy.
If you want to use WebTech from the cli, run
pip install webtech from the command line of your favorite operative system.
Alternatively, if you want to use WebTech in Burp, download Jython standalone or install the full version, download WebTech from Github then in “Extender” > “Options” > “Python Environment” select the Jython jar location.
Finally, in “Extender” > “Extension”:
– Click “Add”.
– Select “py”/”Python” as extension format.
– Select the “Burp-WebTech.py” file in the webtech folder.
Some screenshot of WebTech in action: