Listen to this Post
Introduction:
Web-Check (web-check.xyz) is a comprehensive open-source intelligence (OSINT) tool that acts as a website “full-body scanner.” It consolidates over 30 different website checks into a single, hacker‑style dashboard, allowing security researchers, developers, and analysts to instantly uncover a site’s IP details, SSL certificates, DNS records, open ports, server location, redirect chains, and even its carbon footprint. By aggregating data that would normally require a dozen separate commands and tools, Web‑Check transforms complex reconnaissance into an accessible, one‑click operation.
Learning Objectives:
- Learn how to use Web‑Check’s public interface and its REST API to perform rapid OSINT reconnaissance on any target website.
- Gain hands‑on experience with self‑hosting Web‑Check using Docker and building from source on Linux and Windows.
- Understand how to interpret key security findings—SSL/TLS configurations, WAF detection, and DNS records—to identify misconfigurations and potential attack vectors.
You Should Know:
- Launching OSINT Reconnaissance with Web‑Check’s Public Interface and API
Web‑Check is available as a free public instance at https://web-check.xyz and also provides a full REST API for programmatic access. You can use either method to inspect a website.
Step‑by‑step guide – using the web interface:
- Open your browser and navigate to https://web-check.xyz.
- In the input field, enter the full URL of the target (including
http://` orhttps://`). For example: `https://example.com`. - Click the Analyze button. The tool will run dozens of checks in parallel and display results in a dark‑themed, hacker‑style dashboard.
4. Review the results, which include:
- IP Info – geographical location and ISP of the hosting server.
- SSL Chain – full certificate details and TLS configuration.
- DNS Records – A, AAAA, MX, NS, TXT records, and DNSSEC status.
- Open Ports – common ports (22, 80, 443, etc.) and their status.
- Traceroute – network path to the target.
- WAF Detection – identifies if the site is behind a firewall like Cloudflare or AWS WAF.
- Cookies & Headers – security attributes such as HttpOnly, Secure, and CSP policies.
Step‑by‑step guide – using the REST API (Linux / Windows):
Web‑Check exposes a well‑documented API that returns JSON data, ideal for automation. All endpoints follow the pattern:
`https://web-check.xyz/api/{endpoint}?url={target-url}`.
Linux / macOS (using `curl`):
Check TLS/SSL configuration curl "https://web-check.xyz/api/tls?url=https://example.com" Detect Web Application Firewall curl "https://web-check.xyz/api/firewall?url=https://example.com" Retrieve DNS records curl "https://web-check.xyz/api/dns?url=https://example.com" Check for security.txt file curl "https://web-check.xyz/api/security-txt?url=https://example.com"
Windows (PowerShell):
Invoke-RestMethod -Uri "https://web-check.xyz/api/tls?url=https://example.com" | ConvertTo-Json -Depth 10
The API is rate‑limited to ensure fair usage: 100 requests per 10 minutes, 250 per hour, and 500 per 12 hours. For large‑scale investigations, self‑hosting is recommended.
2. Self‑Hosting Web‑Check for Privacy and Customisation
Because Web‑Check is open source (MIT licensed), you can run your own instance locally or on your own server, preventing your queries from being logged by a third party. Docker is the simplest deployment method.
Step‑by‑step guide – Docker deployment (Linux / Windows with Docker Desktop):
1. Ensure Docker is installed. On Linux Ubuntu:
curl -fsSL https://get.docker.com -o get-docker.sh sudo sh get-docker.sh sudo docker container run hello-world verify installation
2. Create a `docker-compose.yml` file:
version: '3.9' services: web-check: image: lissy93/web-check restart: always ports: - '6599:3000' container_name: web-check
3. Start the container:
sudo docker compose up -d
The application will be available at `http://localhost:6599`.
- Optionally, add API keys (Google Cloud, Shodan, WhoAPI, etc.) to a `.env` file for enhanced functionality.
Step‑by‑step guide – building from source (Linux / Windows with Node.js):
1. Install Node.js (v16.16.0 or higher).
2. Clone the repository and install dependencies:
git clone https://github.com/Lissy93/web-check.git cd web-check yarn install
3. Create a `.env` file with any desired configuration variables.
4. Build and start the application:
yarn build yarn start
Access the tool at `http://localhost:3000`.
5. For production, use PM2 to manage the process:
npm install -g pm2 pm2 start yarn --1ame web-check -- start
3. Interpreting Security Findings: SSL/TLS, WAF, and DNS
Web‑Check’s greatest value lies in its ability to quickly highlight security misconfigurations that could be exploited.
SSL/TLS Analysis:
The `/api/tls` endpoint uses Mozilla’s TLS Observatory to evaluate certificate validity, supported protocols, and cipher suites. Look for:
– Weak protocols (SSLv3, TLSv1.0) – these are vulnerable to downgrade attacks.
– Expired or self‑signed certificates – a red flag for phishing or misconfigured sites.
– Missing HSTS header – leaves the site open to protocol downgrade and cookie hijacking.
Web Application Firewall (WAF) Detection:
The `/api/firewall` endpoint examines HTTP response headers to identify over 15 common WAF products, including Cloudflare, AWS WAF, Sucuri, and F5 BIG‑IP. A missing WAF or an identifiable WAF version can give attackers valuable information about the defensive layers in place.
DNS and DNSSEC:
The DNS check reveals all public records for a domain:
– MX records – expose the mail provider, a common target for business email compromise.
– TXT records – often contain SPF, DKIM, and DMARC policies. Misconfigurations here enable email spoofing.
– DNSSEC status – if absent, the domain is vulnerable to DNS cache poisoning and man‑in‑the‑middle attacks.
By combining these three data points, a penetration tester can quickly map out the attack surface: the real IP behind a CDN, the presence (or absence) of a WAF, and the security posture of the domain’s DNS infrastructure.
4. Automating Web‑Check with Bash and PowerShell Scripts
For continuous monitoring or batch analysis, you can script Web‑Check’s API.
Linux / macOS bash script to check multiple URLs:
!/bin/bash
save as web-check-scan.sh
URLS=("https://example1.com" "https://example2.com")
for URL in "${URLS[@]}"; do
echo "Scanning $URL"
Get firewall detection
curl -s "https://web-check.xyz/api/firewall?url=$URL" | jq '.waf // "No WAF detected"'
Get TLS grade (simplified)
curl -s "https://web-check.xyz/api/tls?url=$URL" | jq '.analysis[bash].result.level // "N/A"'
echo ""
done
Windows PowerShell script:
save as web-check-scan.ps1
$urls = @("https://example1.com", "https://example2.com")
foreach ($url in $urls) {
Write-Host "Scanning $url"
$firewall = Invoke-RestMethod -Uri "https://web-check.xyz/api/firewall?url=$url"
Write-Host "WAF: $($firewall.waf)"
$tls = Invoke-RestMethod -Uri "https://web-check.xyz/api/tls?url=$url"
Write-Host "TLS level: $($tls.analysis[bash].result.level)"
Write-Host ""
}
Run the script from PowerShell:
`.\web-check-scan.ps1`
5. Security Caveat: The CVE‑2025‑32778 Command Injection Vulnerability
Important: A critical command injection vulnerability (CVE‑2025‑32778) exists in the screenshot API of Web‑Check (versions prior to the fix). The issue stems from user‑controlled input being passed unsanitised into a shell command using child_process.exec(), allowing an attacker to execute arbitrary system commands on the underlying host. If you self‑host Web‑Check, ensure you are running the latest version or apply the patch. Avoid exposing your self‑hosted instance directly to the internet without additional hardening (e.g., reverse proxy with input validation, firewalling). This vulnerability underscores the importance of treating any OSINT tool that performs active reconnaissance as a potential attack vector itself.
Mitigation steps:
- Update to the latest Web‑Check version: `docker pull lissy93/web-check:latest` and recreate the container.
- If building from source, `git pull` the latest commit and rebuild.
- Restrict network access to your Web‑Check instance (e.g., via VPN or SSH tunnel).
- Consider disabling the screenshot feature by removing the relevant API endpoint or using a reverse proxy to filter requests.
- Advanced Techniques: Linking Web‑Check with Other OSINT Tools
Web‑Check is an excellent launchpad, but it can be combined with other tools for deeper investigations.
Extract IP addresses for Nmap scanning:
Get IP from Web‑Check API IP=$(curl -s "https://web-check.xyz/api/ip?url=https://example.com" | jq -r '.ip') Run Nmap scan nmap -sV -p- $IP
Feed subdomains from Web‑Check into Sublist3r:
Web‑Check’s “associated hostnames” feature often reveals hidden subdomains. Extract them manually or via API, then use:
sublist3r -d example.com -o subdomains.txt
Cross‑reference the results to find forgotten development or staging servers.
Automate security header checks:
Use Web‑Check’s headers API to test for missing security headers across your own web estate:
curl -s "https://web-check.xyz/api/headers?url=https://your-site.com" | jq '.headers | { "X-Frame-Options": ."x-frame-options", "Content-Security-Policy": ."content-security-policy" }'
Add this to a CI/CD pipeline to enforce security header compliance.
7. What Undercode Say
- Web‑Check democratises OSINT by packaging dozens of reconnaissance checks into an intuitive, one‑click interface – a genuine force multiplier for both blue and red teams. Unlike using separate tools, Web‑Check provides contextual explanations for each data point, making it invaluable for training junior analysts.
- The self‑hosting option is critical for operational security. By running your own instance, you prevent your investigative targets from being logged by a third‑party service, and you can even air‑gap the tool for sensitive work. The Docker deployment is straightforward and can be stood up in minutes.
- The presence of CVE‑2025‑32778 is a sobering reminder that even security tools can have severe vulnerabilities. Always treat self‑hosted OSINT applications with the same caution as any other internet‑facing service – keep them updated, isolate them, and restrict access. This flaw specifically affected the screenshot API, highlighting the dangers of using `exec()` with user input.
- From a penetration testing perspective, Web‑Check excels at passive reconnaissance before active scanning. The WAF detection and associated hostnames features alone can save hours of manual enumeration. Identifying a Cloudflare WAF, for example, tells you that the real origin IP may be hidden, and you can pivot to looking for misconfigured DNS records that leak the IP.
- The tool’s educational value should not be underestimated. Each result card explains not only the data but also why it matters for security. This makes Web‑Check an excellent teaching aid for cybersecurity courses and self‑study. For instance, the cookie analysis explains the importance of the HttpOnly and Secure flags, linking directly to OWASP Top 10 risks.
Prediction:
- -1 As OSINT tools become more powerful and accessible, attackers will increasingly use them for large‑scale, automated reconnaissance. Web‑Check’s API makes it trivial to script scans against thousands of domains, potentially lowering the barrier for mass‑scale vulnerability discovery.
- +1 The open‑source nature of Web‑Check will drive community contributions, leading to even more comprehensive checks (e.g., integration with CVE databases, real‑time threat intelligence feeds). Self‑hosted instances could become standard in SOCs and red team labs.
- -1 The command injection vulnerability (CVE‑2025‑32778) will likely be followed by other security issues as the tool gains popularity. Administrators who blindly expose self‑hosted instances to the internet without proper hardening may inadvertently create new attack vectors.
- +1 Web‑Check represents a trend toward consolidation in the OSINT space – moving away from dozens of disparate command‑line tools toward unified, dashboard‑driven platforms. Expect more tools to adopt this all‑in‑one model, improving efficiency for defenders.
- +1 The inclusion of carbon footprint calculations, while seemingly peripheral, signals a growing awareness of environmental impact in tech. Future versions might include energy efficiency recommendations or green hosting suggestions, adding a non‑security dimension to website analysis.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Syed Muneeb – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
