DEV Community

MikeL
MikeL

Posted on

How to Detect Vulnerable Technologies on Any Website Using CPE Identifiers

#security #api #webdev #tutorial

When a new CVE drops and your boss asks "are we running that?" — how fast can you answer?

Most teams scramble through Confluence pages, Slack threads, and half-updated spreadsheets. But there's a better approach: automated technology detection with CPE identifiers that plug directly into vulnerability databases.

In this post, I'll show you how to detect what technologies a website is running and get machine-readable CPE strings you can cross-reference with NIST's National Vulnerability Database (NVD).

What Are CPE Identifiers?

CPE (Common Platform Enumeration) is a standardized naming scheme for IT products. It looks like this:

cpe:2.3:a:apache:http_server:2.4.51:*:*:*:*:*:*:*
Enter fullscreen mode Exit fullscreen mode

The NVD uses CPEs to map CVEs to affected software. If you know the CPE of what you're running, you can instantly look up every known vulnerability for that exact product and version.

The problem? Most teams don't maintain an accurate inventory of what technologies their web properties are running.

Automated Detection with DetectZeStack

DetectZeStack is a REST API that analyzes any website and returns the full technology stack — including CPE identifiers where available. It combines multiple detection methods:

  • Wappalyzer fingerprinting — 3,500+ technology signatures matched against HTTP headers, HTML content, and JavaScript patterns
  • DNS CNAME analysis — 29 infrastructure signatures (CloudFront, Fastly, Akamai, Netlify, Vercel, etc.)
  • TLS certificate inspection — 8 certificate authority signatures (Cloudflare, DigiCert, Let's Encrypt, etc.)
  • Custom header matching — security headers like HSTS, server identification

Quick Example 

curl "https://detectzestack.p.rapidapi.com/analyze?url=example.com" \
  -H "X-RapidAPI-Key: YOUR_KEY" \
  -H "X-RapidAPI-Host: detectzestack.p.rapidapi.com"
Enter fullscreen mode Exit fullscreen mode

Response:

{
  "domain": "example.com",
  "technologies": [
    {
      "name": "Nginx",
      "categories": ["Web servers"],
      "confidence": 100,
      "cpe": "cpe:2.3:a:nginx:nginx:*:*:*:*:*:*:*:*"
    },
    {
      "name": "jQuery",
      "categories": ["JavaScript libraries"],
      "confidence": 100,
      "cpe": "cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Each technology with a known CPE includes it in the response. You can then query the NVD API directly:

curl "https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:a:nginx:nginx:*"
Enter fullscreen mode Exit fullscreen mode

Building a Vulnerability Scanner

Here's a practical Python script that ties it together — detect technologies, extract CPEs, and check for known vulnerabilities:

import requests
import time

RAPIDAPI_KEY = "your_key_here"

def detect_stack(url):
    resp = requests.get(
        "https://detectzestack.p.rapidapi.com/analyze",
        params={"url": url},
        headers={
            "X-RapidAPI-Key": RAPIDAPI_KEY,
            "X-RapidAPI-Host": "detectzestack.p.rapidapi.com"
        }
    )
    return resp.json()

def check_cves(cpe_name):
    resp = requests.get(
        "https://services.nvd.nist.gov/rest/json/cves/2.0",
        params={"cpeName": cpe_name}
    )
    data = resp.json()
    return data.get("vulnerabilities", [])

# Detect technologies
result = detect_stack("yoursite.com")

for tech in result["technologies"]:
    cpe = tech.get("cpe")
    if not cpe:
        continue

    print(f"\n{tech['name']} ({cpe})")

    vulns = check_cves(cpe)
    if vulns:
        print(f"  Found {len(vulns)} known CVEs:")
        for v in vulns[:5]:
            cve = v["cve"]
            severity = "N/A"
            metrics = cve.get("metrics", {})
            if "cvssMetricV31" in metrics:
                severity = metrics["cvssMetricV31"][0]["cvssData"]["baseSeverity"]
            print(f"    {cve['id']} - {severity}")
    else:
        print("  No known CVEs")

    time.sleep(1)  # Rate limit NVD API
Enter fullscreen mode Exit fullscreen mode

Use Cases for Security Teams

1. Asset inventory — Scan all your public-facing domains to build a technology inventory. Use the /analyze/batch endpoint to check up to 10 URLs per request.

2. Continuous monitoring — Set up webhook subscriptions to get notified every time a domain is analyzed. Track technology changes over time with the /history endpoint.

3. Vendor risk assessment — Before onboarding a third-party vendor, scan their web properties. Know what they're running before signing the contract.

4. Incident response — When a new CVE is published, immediately scan your domains to check for affected technologies. The 24-hour cache means repeated checks are instant and free.

Try It Out

You can test DetectZeStack right now — no signup required. Visit detectzestack.fly.dev and use the live demo to analyze any website.

For API access, grab a free key on RapidAPI (100 requests/month, no credit card required).

What security automation workflows are you building? I'd love to hear how you're using technology detection in your security pipeline. Drop a comment below.

Top comments (0)