Module 13 — Technology Fingerprinting & CVE Detection¶
Icon: 
Magnifying Glass | Colour: Teal
Overview¶
Identifies web technologies, frameworks, CMS platforms, and JavaScript libraries running on the target, then maps discovered software+version combinations to known CVEs via the NVD database.
Maps to OWASP Top 10 A06 — Vulnerable and Outdated Components, CWE-1035 (Using Components with Known Vulnerabilities) and CWE-1104 (Use of Unmaintained Third Party Components).
How It Works¶
1. HTTP Header/Cookie Fingerprinting¶
Analyses response headers and cookies from crawled pages for technology disclosure:
- Checks
Server,X-Powered-By,X-AspNet-Version,X-Runtime,X-Generator, andViaheaders - Matches
Set-Cookiepatterns to identify technology stacks (PHP, Java, ASP.NET, Django, Flask, Rails, Express.js, etc.)
2. HTML Meta Tag Analysis¶
Scans HTML responses for generator and framework markers:
- Extracts
<meta name="generator">tags that reveal CMS name and version - Detects CMS-specific HTML patterns (WordPress
/wp-content/, DrupalDrupal.settings, Joomla/media/jui/, Magento/static/frontend/Magento/)
3. JavaScript Library Detection¶
Identifies client-side JavaScript libraries and their versions:
- Regex matching on CDN URLs (
jquery-3.6.0.min.js,react/17.0.2, etc.) - Parses inline JS comments for version strings (
/*! jQuery v3.6.0 */) - Covers jQuery, Angular, React, Vue.js, Bootstrap, Lodash, Moment.js, D3.js, and many more
4. CMS Detection & Version¶
Probes well-known CMS paths to confirm platform identity:
- WordPress:
/wp-login.php,/wp-admin/,/wp-json/ - Drupal:
/core/misc/drupal.js,/user/login - Joomla:
/administrator/,/media/system/js/ - Magento:
/magento_version,/admin/
5. CMS Plugin/Theme Enumeration¶
When a CMS is detected, discovers installed plugins and themes:
- WordPress plugin enumeration via
/wp-content/plugins/{name}/ - WordPress theme enumeration via
/wp-content/themes/{name}/ - Reads
readme.txtto extract plugin version numbers
6. WhatWeb Integration¶
Runs WhatWeb (if available) for comprehensive technology fingerprinting:
- Uses aggression level 3 for thorough detection
- Parses JSON output for technology names and versions
7. retire.js Vulnerability Scanning¶
Runs retire.js (if available) specifically for client-side JavaScript vulnerability detection:
- Checks all discovered JavaScript resources against the retire.js vulnerability database
- Reports known vulnerabilities with severity and CVE identifiers
8. Known CVE Lookup¶
Queries the NVD (National Vulnerability Database) API for all identified software+version combinations:
- Searches NVD API v2.0 for matching CVEs
- Filters results by minimum severity threshold (configurable)
- Reports CVE ID, description, CVSS score, and remediation link
Configuration¶
When you select Fingerprinting & CVE Detection as a scan module, an additional configuration panel appears. Click Configure to open the settings modal.
| Parameter | Required | Default | Description |
|---|---|---|---|
| NVD API Key | No | None | Free API key from nvd.nist.gov. Increases rate limits from 5 to 50 requests per 30 seconds. |
| Minimum CVE Severity | No | MEDIUM | Filter threshold for CVE results: CRITICAL (≥9.0), HIGH (≥7.0), MEDIUM (≥4.0), or LOW (≥0.1) |
NVD API Key
Without an API key, CVE lookups are rate-limited to 5 requests per 30 seconds. For scans with many detected technologies, an API key significantly speeds up the CVE lookup phase. Get a free key at nvd.nist.gov.
Ephemeral Storage
All parameters (including the NVD API key) are stored temporarily in Redis during the scan and never persisted to the database. They are automatically deleted when the scan completes.
Expected Findings¶
| Finding | Severity | CWE |
|---|---|---|
| Technology disclosed via Server/X-Powered-By header | Low | CWE-200 |
| Technology detected via session cookie pattern | Info | CWE-200 |
| Generator meta tag reveals CMS/framework | Low | CWE-200 |
| CMS detected with version number via HTML/path probing | Medium | CWE-1035 |
| CMS detected without version | Low | CWE-1035 |
| JavaScript library version identified | Info | CWE-1104 |
| Vulnerable JS library found by retire.js | High/Medium | CWE-1035 |
| WordPress/CMS plugin with version detected | Medium | CWE-1104 |
| Known CVE matching detected software+version (CVSS ≥ 9.0) | Critical | CWE-1035 |
| Known CVE matching detected software+version (CVSS ≥ 7.0) | High | CWE-1035 |
| Known CVE matching detected software+version (CVSS ≥ 4.0) | Medium | CWE-1035 |
Remediation Guidance¶
- Information disclosure — Remove or obfuscate
Server,X-Powered-By, and similar headers. Rename default session cookies to reduce fingerprinting. - CMS hardening — Keep CMS platforms updated to the latest stable version. Remove version identifiers from public-facing HTML. Restrict access to admin paths.
- Plugin management — Remove unused plugins and themes. Keep all plugins updated. Audit plugin permissions regularly.
- JavaScript libraries — Update all client-side libraries to the latest stable versions. Use Subresource Integrity (SRI) for CDN-hosted scripts. Run retire.js in your CI/CD pipeline.
- CVE remediation — Prioritise updating software with Critical and High CVEs. Review CVE details at nvd.nist.gov for patch information. Consider virtual patching via WAF rules while updates are tested.
Tools Used¶
| Tool | Purpose |
|---|---|
| WhatWeb | Comprehensive web technology fingerprinting |
| retire.js | Client-side JavaScript vulnerability scanning |
| NVD API v2.0 | Known CVE lookup for software+version combinations |
| Built-in patterns | HTTP header, cookie, HTML, and CDN URL analysis |