opendoor 5.14.3

Fast CLI for directory discovery, subdomain enumeration, and web asset reconnaissance

OpenDoor — OWASP Web Directory Scanner

OpenDoor is an open-source CLI scanner for authorized web reconnaissance, directory discovery, subdomain enumeration, fingerprint detection, WAF detection, controlled header-bypass probing, response filtering, reporting, and transport-based scanning workflows.

It helps security researchers, penetration testers, bug bounty hunters, DevSecOps engineers, and developers identify exposed paths, login panels, directory listings, restricted resources, backup files, web shells, subdomains, and other potentially sensitive web assets.

Use OpenDoor only on systems you own or have explicit permission to test.

---

✅ Project status

🧪 CI matrix

Platform	Python 3.12	Python 3.13	Python 3.14
Linux
macOS
Windows

---

🚀 Quick links

• Documentation
• Quickstart
• Installation and update
• Usage guide
• Practical examples
• Changelog
• PyPI package
• Docker image
• AUR package
• BlackArch package
• Issues

---

✨ Features

• directory discovery;
• recursive directory discovery;
• subdomain enumeration;
• multi-threading scans;
• single target, target file, stdin, IPv4 CIDR, and IPv4 range input modes;
• custom wordlists, prefixes, and extension filters;
• custom request headers, cookies, and raw HTTP request templates;
• response filters by status, size, text, regex, and body length;
• smart auto-calibration for soft-404, wildcard, catch-all, and semantic response-diff cases;
• technology fingerprint detection CMS, ecommerce platforms, frameworks;
• passive WAF detection and WAF-safe scan mode;
• controlled header and path bypass probes for blocked 401 and 403 resources;
• resumable scan sessions with checkpoint autosave;
• CI/CD fail-on result bucket rules;
• official Docker image distribution via GitHub Container Registry;
• reports in terminal, text, JSON, CSV, HTML, and SQLite formats;
• proxy, OpenVPN, and WireGuard transport profiles;
• sequential per-target transport rotation for batch workflows;
• configuration wizard for repeatable scan profiles.

---

🧭 Where does OpenDoor make sense?

It is designed for real targets where speed alone is not enough: WAFs, CDNs, soft-404 pages, wildcard routes, restricted resources, authenticated areas, unstable networks, multi-target batches, and transport-controlled scans. OpenDoor focuses on context-aware discovery instead of blind enumeration.

What makes OpenDoor different

Capability	Why it matters
Fingerprint-first scanning	OpenDoor can identify probable CMS platforms, frameworks, infrastructure providers, and WAF signals before deeper discovery. This helps you scan with context instead of blindly throwing a generic wordlist at the target.
WAF-aware behavior	OpenDoor can detect probable WAF / anti-bot behavior and switch to a safer runtime profile with --waf-safe-mode, reducing noisy blocked scans and making defensive responses easier to understand.
Controlled bypass evidence	OpenDoor can optionally probe blocked 401 and 403 resources with controlled header-injection and path-manipulation variants. It records exact evidence such as bypass type, header or path variant, probe value, original status code, and resulting status code without mutating global scan headers.
Multi-signal auto-calibration	OpenDoor does not rely only on status code or response size. It compares multiple response signals such as body hashes, visible text, semantic soft-404 phrases, DOM-token structure, titles, redirects, stable headers, word count, line count, text density, and normalized dynamic tokens to reduce soft-404 and wildcard false positives.
Transport-level workflows	OpenDoor supports direct, proxy, OpenVPN, and WireGuard transport modes. It can also rotate transport profiles per target in authorized batch scans, which is not the same as manually starting a VPN before running a scanner.
Resumable long scans	OpenDoor can save scan checkpoints and resume later. This matters when scans are interrupted by crashes, unstable networks, blocked routes, terminal disconnects, or long multi-target jobs.
CI/CD-ready results	OpenDoor can return a failing exit code only when selected result buckets are found, making it usable as a release gate or exposure regression check without custom post-processing scripts.
Auditable engineering	OpenDoor is maintained with multi-platform CI, coverage checks, package checks, documentation builds, and a large unittest suite, making it easier to audit, contribute to, and depend on.

🧬 Recognized technologies

OpenDoor includes a heuristic fingerprint engine for detecting probable application stacks, CMS platforms, frameworks, site builders, static-site tooling, infrastructure providers, and WAF / anti-bot systems.

Category	Examples
CMS	WordPress, Drupal, Joomla, TYPO3, Open Journal Systems, Moodle, Nextcloud, ownCloud, phpMyAdmin
E-commerce	Magento, WooCommerce, Shopify, PrestaShop, OpenCart, Shopware
Frameworks / app platforms	Laravel, Symfony, Django, Flask, FastAPI, Express, NestJS, Next.js, Nuxt, Rails, Spring
Site builders	Wix, Webflow, Squarespace, Tilda
Static / docs generators	MkDocs, Docusaurus, Hugo, Jekyll, VitePress
Infrastructure / hosting	Cloudflare, AWS, Vercel, Netlify, GitHub Pages, GitLab Pages, Heroku, Azure, Google Cloud, Fastly, Akamai
WAF / anti-bot	Cloudflare, AWS WAF, Azure Front Door, Akamai, Imperva, Sucuri, ModSecurity, DataDome, Kasada, F5 BIG-IP ASM

Full list of supported technologies: Fingerprinting technologies

Run fingerprint detection:

opendoor --host https://example.com --fingerprint

Read more:

• Fingerprinting guide
• WAF detection guide

📦 Installation

pipx

Recommended for most CLI users:

pipx install opendoor

pip

python3 -m pip install --upgrade opendoor

Arch Linux / AUR

OpenDoor is available in the Arch User Repository:

yay -S opendoor

Homebrew

When the Homebrew formula is available:

brew install opendoor

Docker

OpenDoor is available as an official project Docker image via GitHub Container Registry.

docker pull ghcr.io/stanislav-web/opendoor:latest
docker run --rm ghcr.io/stanislav-web/opendoor:latest --version

Run a scan and write reports to the host:

mkdir -p reports

docker run --rm \
  -v "$PWD/reports:/work/reports" \
  ghcr.io/stanislav-web/opendoor:latest \
  --host https://example.com \
  --reports json,html \
  --reports-dir reports

BlackArch Linux

OpenDoor is available in BlackArch Linux:

sudo pacman -Syu
sudo pacman -S opendoor

From source

git clone https://github.com/stanislav-web/OpenDoor.git
cd OpenDoor

python3 -m pip install -r requirements.txt
python3 opendoor.py --help

See the full installation guide.

---

🚀 Quick usage

Basic directory scan

opendoor --host https://example.com

Subdomain scan

opendoor --host example.com --scan subdomains

Target list

opendoor --hostlist targets.txt

Target files may mix URLs, domains, IPv4 addresses, IPv4 CIDR blocks, and inclusive IPv4 ranges:

https://example.com
app.example.com
192.168.1.10
192.168.1.0/24
192.168.1.10-192.168.1.50

Standard input

cat targets.txt | opendoor --stdin

The same mixed target format is supported through STDIN.

Low-noise scan

opendoor \
  --host https://example.com \
  --method GET \
  --auto-calibrate \
  --include-status 200-299,301,302,403 \
  --exclude-status 404,429,500-599 \
  --exclude-size-range 0-256 \
  --sniff skipempty,collation,indexof,file \
  --reports std,json,csv

Authenticated scan from raw request

opendoor \
  --raw-request request.txt \
  --scheme https \
  --method GET \
  --auto-calibrate \
  --reports json,html,sqlite

WAF-safe scan

opendoor \
  --host https://example.com \
  --waf-safe-mode \
  --timeout 60 \
  --retries 5 \
  --delay 0.5

Header and path bypass probes

Use this only on systems you are authorized to test. The feature is opt-in and probes blocked resources with controlled temporary headers and safe path variants.

opendoor \
  --host https://example.com \
  --method GET \
  --waf-detect \
  --header-bypass \
  --header-bypass-limit 32 \
  --reports std,json,csv,sqlite

When --header-bypass is enabled, OpenDoor first tries configured header-injection variants and then safe path-manipulation variants such as trailing slash, dot segment, semicolon suffix, case variation, and URL-encoded segment. Customize trigger statuses, trusted IP values, and headers:

opendoor \
  --host https://example.com \
  --method GET \
  --header-bypass \
  --header-bypass-status 401,403 \
  --header-bypass-ips 127.0.0.1,10.0.0.1 \
  --header-bypass-headers X-Original-URL,X-Rewrite-URL,X-Forwarded-For,X-Real-IP \
  --reports json,html,sqlite,csv

Proxy routing

Use a single explicit proxy:

opendoor --host https://example.com --proxy socks5://127.0.0.1:9050

Use the bundled rotating proxy pool:

opendoor --host https://example.com --proxy-pool

Use a custom rotating proxy list:

opendoor --host https://example.com --proxy-list proxies.txt

OpenVPN transport

opendoor \
  --host https://example.com \
  --transport openvpn \
  --transport-profile ./profile.ovpn

WireGuard transport

opendoor \
  --host https://example.com \
  --transport wireguard \
  --transport-profile ./profile.conf

More examples:

• Basic scans
• Batch scans
• Authenticated scans
• WAF-safe scans
• Header-bypass scans
• VPN transport scans
• CI/CD examples

---

📚 Documentation

The full documentation is available on ReadTheDocs:

• Home
• Quickstart
• Installation and update
• Usage guide
• Target input
• Reports
• Fingerprinting
• WAF detection and safe mode
• Header Injection Bypass
• Auto-calibration
• Network transports
• OpenVPN transport
• WireGuard transport
• Practical examples
• Testing
• Contribution

---

🧪 Development

Install development dependencies:

python3 -m venv .venv
source .venv/bin/activate

python -m pip install --upgrade pip setuptools wheel
python -m pip install -r requirements-dev.txt
python -m pip install -e .

Run tests:

python -m unittest

Run coverage:

coverage run -m unittest discover -s tests -p "test_*.py"
coverage report -m

Build documentation:

python3 -m venv .docs-venv
source .docs-venv/bin/activate
python -m pip install -r docs/requirements.txt
python -m mkdocs build --strict

Build package artifacts:

python -m build

See the full testing guide and contribution guide.

---

🔐 Security and secret hygiene

Do not commit real secrets or private transport profiles.

Never publish:

• real OpenVPN profiles;
• WireGuard private keys;
• auth-user-pass files;
• cookies;
• bearer tokens;
• customer target lists;
• private scan reports;
• sensitive CI artifacts.

Use placeholder examples only.

---

⚖️ Responsible use

OpenDoor is a security testing tool.

Use it only against systems you own or have explicit permission to test.

Features such as WAF detection, WAF-safe scanning, raw request replay, transport profiles, and Header Injection Bypass probes are intended for authorized security testing, defensive validation, and exposure regression checks.

The project does not grant permission to scan third-party systems, organizations, commercial services, or public infrastructure without authorization.

---

🧾 Changelog

See CHANGELOG.md and GitHub Releases.

---

🤝 Contributing

Pull requests are welcome.

Before contributing, read the contribution guide and run the relevant tests.

---

📄 License

OpenDoor is released under the GNU General Public License v3.0 only.

See LICENSE.

---

Support

If OpenDoor helps your authorized security work, you can support ongoing maintenance through Giveth.

Support OpenDoor on Giveth

---