{"id":16412557,"url":"https://github.com/0x48piraj/wapparalyser","last_synced_at":"2026-05-17T05:40:44.063Z","repository":{"id":98770348,"uuid":"195588534","full_name":"0x48piraj/wapparalyser","owner":"0x48piraj","description":"Fuzzing and fooling Wappalyzer. Released at BSides Delhi 2019.","archived":false,"fork":false,"pushed_at":"2020-07-21T14:22:05.000Z","size":1764,"stargazers_count":2,"open_issues_count":2,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-06T06:23:16.409Z","etag":null,"topics":["blue-team","research-tool","security","tool"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0x48piraj.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-07-06T22:34:42.000Z","updated_at":"2021-08-05T09:26:20.000Z","dependencies_parsed_at":"2023-05-25T06:45:05.850Z","dependency_job_id":null,"html_url":"https://github.com/0x48piraj/wapparalyser","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x48piraj%2Fwapparalyser","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x48piraj%2Fwapparalyser/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x48piraj%2Fwapparalyser/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x48piraj%2Fwapparalyser/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0x48piraj","download_url":"https://codeload.github.com/0x48piraj/wapparalyser/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240427265,"owners_count":19799470,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blue-team","research-tool","security","tool"],"created_at":"2024-10-11T06:49:16.169Z","updated_at":"2026-05-17T05:40:44.057Z","avatar_url":"https://github.com/0x48piraj.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Wapparalyser\n\n![License](https://img.shields.io/github/license/0x48piraj/wapparalyser)\n![Version: 1.0](https://img.shields.io/badge/version-1.0-blue.svg)\n![Commits](https://img.shields.io/github/commit-activity/y/0x48piraj/wapparalyser)\n![GitHub issues](https://img.shields.io/github/issues/0x48piraj/wapparalyser)\n\n\u003cp align=\"center\"\u003e\n    \u003cimg alt=\"Wapparalyser\" src=\"assets/branding/logo.png\"\u003e\u003cbr\u003e\n    \u003ci\u003eFuzzing 'n' Fooling Wappalyzer\u003c/i\u003e\n\u003c/p\u003e\n\n\u003e Wapparalyser was presented at [BSides Delhi 2019](https://bsidesdelhi.in/).\n\nWapparalyser is a Python-based defensive security tool for blue-teams which defeats [Wappalyzer](https://www.wappalyzer.com/) (a common red-team tool that uncovers the technologies used on websites) by operating at the same layer as its detection engine.\n\nRather than blocking or obfuscating requests, it generates synthetic yet valid fingerprint artifacts that satisfy Wappalyzer's detection logic while remaining non-executable and safe.\n\nThe result is a transparent deception gateway that can convincingly present arbitrary technology stacks to scanners, browsers and automated tooling without modifying the origin site.\n\nTo know more, you can head over to [My first security talk — BSides Delhi 2019 Experience](https://blog.0x48piraj.com/my-first-security-talk-bsides-delhi-2019-experience).\n\n## History\n\nWapparalyser originally began as an experimental effort to understand and defeat Wappalyzer's detection mechanisms.\n\nThe first implementation was intentionally exploratory with rapid prototyping patterns, minimal structure and several partially implemented ideas living side-by-side in a single command-line codebase.\n\nWhile the system worked and proved the core concept, its structure did not scale with complexity. Rule interpretation, artifact generation, transport concerns and presentation were tightly coupled making the behavior difficult to reason about, test or extend.\n\nThis rewrite revisits the project with that original intent exploring multiple uncommitted abandoned prototypes and partial implementations. Shockingly, it still works like gangbusters in ~2022~ **2026**. Letting it gather dust would have been a crime.\n\n## Why this exists\n\nTechnology fingerprinting tools like Wappalyzer rely on:\n\n* HTTP headers\n* Cookies\n* HTML patterns\n* `\u003cmeta\u003e` tags\n* JavaScript stubs\n* Script URLs\n\nRather than attempting to block or evade detection, it **speaks the same grammar** and generates fingerprints that look indistinguishable from real-world deployments.\n\nThis makes it useful for:\n\n* Blue-team deception\n* Red-team research\n* Scanner testing\n* CI/CD validation\n* Defensive signal analysis\n* Teaching how fingerprinting actually works\n\nWapparalyser only synthesizes the signals fingerprinting tools observe and injects them strictly at HTTP and HTML boundaries. The origin application behavior is never modified.\n\n## Features\n\n### Stack-based service emulation\n\n* Emulate **individual services** _(currently, 1123)_\n* Emulate **composite stacks** (e.g. LAMP, MEAN, cloud edge stacks)\n* Combine arbitrary technologies\n* Merge headers, cookies, scripts, meta, JS globals safely\n\n### Recursive implied technologies\n\nWappalyzer signatures often imply deeper stacks i.e.\n\n```mermaid\nflowchart LR\n    N[Next.js] --\u003e R[React]\n    R --\u003e J[JavaScript]\n    J --\u003e E[ECMAScript]\n```\n\nGenerally,\n\n```mermaid\nflowchart LR\n    N[Framework] --\u003e R[UI Library]\n    R --\u003e J[Language]\n    J --\u003e E[Specification]\n```\n\nWapparalyser can:\n\n* Expand implied technologies recursively\n* Preview implied stacks in the UI\n* Optionally include them in emulation\n\nThis produces **multi-layer fingerprints** instead of shallow signals.\n\n### Deterministic mode (seeded synthesis)\n\nSynthesis is driven by regex materialization where the artifacts are derived from deterministic seeds.\n\nBy supplying a seed, you can:\n\n* Reproduce fingerprints exactly\n* Share stack configurations\n* Keep CI and scripted runs stable\n\nThe same seed produces the same fingerprint across:\n\n* Preview\n* Proxy\n* Exports\n\n### Featured Web UI\n\nThe web application provides:\n\n* Searchable service grid\n* Interactive selection\n* Multi-service stack composition\n* Implied technology expansion\n* Deterministic seed input\n* Live fingerprint preview\n* One-click proxy launch\n* nginx / Caddy config export\n* Stack presets\n\n### Transparent HTTP proxy\n\nWapparalyser can also operate as a **response-shaping proxy**:\n\n1. Fetches an upstream website\n2. Generates a synthetic fingerprint\n3. Injects fingerprint artifacts\n4. Returns a visually identical response\n\nThe upstream site is never modified.\n\n### Headless proxy mode\n\nWapparalyser runs headless by default, exposing only API and proxy routes.\n\nPerfect for:\n\n* CI pipelines\n* Scripted runs\n* Red-team infra\n* Chaining with curl, mitmproxy, Burp\n\n## Architecture\n\nWapparalyser compiles detection rules into concrete evidence which is rendered into HTTP and HTML artifacts.\n\n* Consumes Wappalyzer detection rules\n* Produces structured, technology-agnostic payloads\n* Remains independent of framework concerns\n\nThe system follows a clean proxy flow:\n\n```mermaid\nflowchart LR\n    subgraph FetchPhase[\"Upstream retrieval\"]\n        C1[Client request] --\u003e F1\n        F1[Fetch upstream]\n    end\n\n    subgraph Processing[\"Processing\"]\n        S1[Select service]\n        G1[Compilation]\n        N1[Materialization]\n    end\n\n    subgraph TransportPhase[\"HTTP boundary injection\"]\n        I1[Inject artifacts]\n        R1[Synthetic website]\n    end\n\n    F1 --\u003e S1\n    S1 --\u003e G1\n    G1 --\u003e N1\n    N1 --\u003e I1\n    I1 --\u003e R1\n```\n\nThis architecture allows the same engine to power:\n\n* a CLI\n* a web API\n* a transparent HTTP proxy\n\nwithout duplicating logic or violating security constraints.\n\nEach stage has a single responsibility and operates on a well-defined boundary.\n\n```mermaid\nflowchart LR\n    subgraph SignatureLayer[\"Signature layer\"]\n        G1[Wappalyzer rules]\n    end\n\n    subgraph Compilation[\"Compilation\"]\n        C1[Rule compiler]\n        C2[Evidence graph]\n    end\n\n    subgraph Materialization[\"Materialization\"]\n        R1[Renderer]\n        R2[Fingerprint]\n    end\n\n    subgraph Delivery[\"Delivery\"]\n        P1[Proxy injection]\n        P2[HTTP response]\n    end\n\n    G1 --\u003e C1\n    C1 --\u003e C2\n    C2 --\u003e R1\n    R1 --\u003e R2\n    R2 --\u003e P1\n    P1 --\u003e P2\n```\n\nThe pipeline is intentionally unidirectional; no stage mutates or reinterprets upstream content.\n\n## Installation\n\nClone the repository and install dependencies in an isolated environment:\n\n```bash\ngit clone https://github.com/0x48piraj/wapparalyser.git\ncd wapparalyser\n\n# Optional, recommended\npython3 -m venv venv\nsource venv/bin/activate\n\npip install -r requirements.txt\n```\n\n## Usage\n\nWapparalyser can be used in multiple ways depending on your needs.\n\nWhile you can use `src/wapparalyser/cli.py` to generate known artifacts and experiment with them in your own application, running the **Wapparalyser proxy web app** gives you the project's capabilities most effectively.\n\n### Backend (API + Proxy)\n\nTo start the Wapparalyser backend:\n\n```bash\npython3 src/web/app.py\n```\n\nThe service will start on:\n\n```\nhttp://\u003cip-address\u003e:8005\n```\n\nBy default, Wapparalyser runs headless and exposes only:\n\n* REST API endpoints (`/api/v1/*`)\n* Proxy endpoint (`/proxy`)\n\n### React frontend (SPA)\n\nA React frontend is available for interactive use.\n\n#### Configure API base URL\n\nInside the `frontend/` directory, create a `.env` file:\n\n```\nVITE_API_BASE=http://\u003cip-address\u003e:8005\n```\n\nUse your backend server's address instead of the example IP.\n\n#### Install dependencies\n\n```bash\ncd frontend\nnpm install\n```\n\n### Start development server\n\n```bash\nnpm run dev\n```\n\nThe React app will start (typically on `http://localhost:5173`) and communicate with the backend via the configured `VITE_API_BASE`.\n\n### Production build (Optional)\n\nTo build the frontend for production:\n\n```bash\nnpm run build\n```\n\nThis generates a `dist/` folder which can be:\n\n* Served by Flask\n* Or deployed behind a reverse proxy (e.g., nginx)\n\n## API overview\n\n### List services\n\n```http\nGET /api/services\n```\n\nReturns:\n\n* name\n* icon\n* categories\n* implied technologies\n\n### Emulate a stack\n\n```http\nPOST /api/emulate\n```\n\n```json\n{\n  \"services\": [\"Nginx\", \"PHP\", \"WordPress\"],\n  \"expand_implies\": true,\n  \"seed\": 1337\n}\n```\n\nReturns a normalized fingerprint preview.\n\n### Export configs\n\n```http\nPOST /api/export/nginx\nPOST /api/export/caddy\n```\n\nGenerates ready-to-use header injection snippets for proxy setups.\n\n## Proxy usage\n\n### Basic\n\n```text\nhttp://localhost:8005/proxy\n```\n\n* random stack\n* default upstream (`example.com`)\n\n### Specific stack\n\n```text\nhttp://localhost:8005/proxy?services=Nginx,PHP,WordPress\n```\n\n### Example\n\n```text\nhttp://localhost:8005/proxy\n  ?target=https://example.com\n  \u0026services=Nginx,PHP,WordPress\n  \u0026expand_implies=1\n  \u0026seed=1337\n```\n\n\u003e **Note:** Run Wappalyzer **against the proxy**, not the origin.\n\n#### Example\n\n```bash\nhttp://localhost:8005/proxy?target=https://example.com\u0026services=nginx,php\u0026seed=1337\n```\n\n## Notes\n\n* No upstream websites / servers are modified\n* All artifacts are inert\n* Designed for research, testing and controlled environments\n\n## Roadmap \u0026 Future work\n\nWapparalyser focuses on semantic fingerprint synthesis rather than total traffic interception or browser automation.\n\nThe roadmap below captures both what has been completed and what could be explored next without committing to unnecessary complexity.\n\n### Completed capabilities\n\n#### Multi-service stack emulation\n\nWapparalyser supports composing realistic technology stacks rather than isolated services.\n\n* Display and manage multiple selected services\n* Recursively expand implied technologies\n* Preview base vs implied stack layers in the UI\n* Apply complete stack composition consistently across preview, proxy and exports\n\nThis enables accurate emulation of real-world deployments (frameworks, runtimes, platforms).\n\n#### Deterministic fingerprints\n\nFingerprint generation can be made completely reproducible.\n\n* Seed-driven regex materialization\n* Identical fingerprints across preview, proxy and exports\n* Shareable and repeatable configurations\n\nThis is critical for CI pipelines, demos and controlled research environments.\n\n#### Stack persistence \u0026 export\n\nStack configurations can be preserved and reused.\n\n* Save and reload stack presets in the browser (localStorage)\n* Export header configurations for nginx and Caddy\n* Maintain consistency across sessions without backend state\n\nThese features improve ergonomics without coupling UI state to the engine.\n\n### Future exploration\n\n#### HAR-style session export\n\nCapture a complete proxied browsing session in a portable archive.\n\n* Headers, cookies, injected artifacts\n* Response bodies and timings\n* Redirect chains\n\n**Benefits:** Provides an exact record of how deception appeared to scanners and browsers.\n\n**Trade-offs:** Requires total request/response interception, buffering and session correlation, significantly increasing complexity and attack surface.\n\n#### Fingerprint diffing\n\nCompare two generated fingerprints to highlight meaningful differences.\n\n* Headers, cookies, meta tags\n* Script URLs and JS globals\n* Stack composition changes\n\n**Benefits:** Useful for research, demos and explaining *why* a fingerprint triggered detection.\n\n**Scope note:**\nCan be implemented as a standalone analytical tool without impacting proxy behavior.\n\n### Philosophy going forward\n\nNot every feature belongs in Wapparalyser.\n\nFuture additions should:\n\n* Reinforce understanding of fingerprinting behavior\n* Preserve strict safety guarantees\n* Avoid turning the proxy into a complete traffic MITM\n* Keep the engine framework-agnostic\n\nThe project favors **clarity and correctness** over breadth.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0x48piraj%2Fwapparalyser","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0x48piraj%2Fwapparalyser","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0x48piraj%2Fwapparalyser/lists"}