OpenDoor is an open-source CLI Recon Platform for authorized web reconnaissance, directory discovery, subdomain enumeration, fingerprint detection, WAF detection, controlled header-bypass probing, response filtering, reporting, and transport-based scanning workflows.
It helps security researchers, penetration testers, bug bounty hunters, DevSecOps engineers, and developers identify exposed paths, login panels, directory listings, restricted resources, backup files, web shells, subdomains, and other potentially sensitive web assets.
Use OpenDoor only on systems you own or have explicit permission to test.
| Platform | Python 3.12 | Python 3.13 | Python 3.14 |
|---|---|---|---|
| Linux |  |
 |
 |
| macOS |  |
 |
 |
| Windows |  |
 |
 |
- Documentation
- Quickstart
- Installation and update
- Usage guide
- Practical examples
- Changelog
- PyPI package
- Homebrew formulae
- Docker image
- AUR package
- BlackArch package
- Issues
- Contributors
- directory discovery;
- recursive directory discovery;
- subdomain enumeration;
- multi-threading scans for faster lookups;
- single target, target file, stdin, IPv4 CIDR, and IPv4 range input modes;
- custom wordlists, prefixes, shuffling to break scan patterns and extension filters;
- custom request headers, cookies forwarding, and raw HTTP request templates;
- response filters by status, size, text, regex, and body length;
- response sniffers for detecting directory listings, empty responses, known file exposures, collation, errors and exposed debug stack traces;
- smart auto-calibration for soft-404, wildcard, catch-all, semantic response-diff, and DNS wildcard cases;
- technology fingerprint detection for CMS, ecommerce platforms, frameworks, runtime stacks, infrastructure, and HSTS posture;
- passive privacy-risk checks in
--fingerprint, including possible HSTS, ETag/cache, and persistent-cookie supercookie surfaces. - passive WAF detection and bypass in secure scanning mode;
- controlled header and path bypass probes for blocked
401and403resources; - resumable scan sessions with checkpoint autosave for long term scans;
- CI/CD fail-on result bucket rules;
- reports in terminal, text, JSON, CSV, HTML, SARIF and SQLite formats;
- proxy, OpenVPN, and WireGuard transport profiles;
- sequential per-target transport rotation for batch workflows;
- configuration wizard for repeatable scan profiles.
- built-in wordlists (upd. 2026-05);
It is designed for real targets where speed alone is not enough: WAFs, CDNs, soft-404 pages, wildcard routes, restricted resources, authenticated areas, unstable networks, multi-target batches, and transport-controlled scans. Since it first launch in 2016 to the present day, the OpenDoor has changed dramatically, growing from a primitive brute forcer into a new adaptive discovery framework. Became DevOps and QA friendly. OpenDoor focuses on context-aware discovery instead of blind enumeration.
| Capability | Why it matters |
|---|---|
| Fingerprint-first scanning | OpenDoor can identify probable CMS platforms, frameworks, infrastructure providers, and WAF signals before deeper discovery. This helps you scan with context instead of blindly throwing a generic wordlist at the target. |
| WAF-aware behavior | OpenDoor can detect probable WAF / anti-bot behavior and switch to a safer runtime profile with --waf-safe-mode, reducing noisy blocked scans and making defensive responses easier to understand. |
| Controlled bypass evidence | OpenDoor can optionally probe blocked 401 and 403 resources with controlled header-injection and path-manipulation variants. It records exact evidence such as bypass type, header or path variant, probe value, original status code, and resulting status code without mutating global scan headers. |
| Multi-signal auto-calibration | OpenDoor does not rely only on status code or response size. It compares multiple response signals such as body hashes, visible text, semantic soft-404 phrases, DOM-token structure, titles, redirects, stable headers, word count, line count, text density, normalized dynamic tokens, and DNS wildcard baselines to reduce soft-404 and wildcard false positives. |
| Transport-level workflows | OpenDoor supports direct, proxy, OpenVPN, and WireGuard transport modes. It can also rotate transport profiles per target in authorized batch scans, which is not the same as manually starting a VPN before running a scanner. |
| Resumable long scans | OpenDoor can save scan checkpoints and resume later. This matters when scans are interrupted by crashes, unstable networks, blocked routes, terminal disconnects, or long multi-target jobs. |
| Runtime pause/resume | Press Ctrl+C once during a scan to pause workers, then choose C to continue or E to abort without involving session files. |
| CI/CD-ready results | OpenDoor can return a failing exit code only when selected result buckets are found, making it usable as a release gate or exposure regression check without custom post-processing scripts. |
| Auditable engineering | OpenDoor is maintained with multi-platform CI, coverage checks, package checks, documentation builds, and a large unittest suite, making it easier to audit, contribute to, and depend on. |
OpenDoor includes a heuristic fingerprint engine for detecting probable application stacks, CMS platforms, frameworks, site builders, static-site tooling, infrastructure providers, HSTS / preload readiness, and WAF / anti-bot systems.
| Category | Examples |
|---|---|
| CMS | WordPress, Drupal, Joomla, TYPO3, Open Journal Systems, InstantCMS, CMS.S3 / Megagroup, Discuz!, NetCat |
| E-commerce | Magento, WooCommerce, Shopify, PrestaShop, OpenCart, Shopware, Webasyst / Shop-Script |
| Frameworks / app platforms | Laravel, Symfony, Django, Flask, FastAPI, Express, NestJS, Next.js, Nuxt, Rails, Spring |
| Runtime / language stack | PHP, Node.js, JavaScript, Python, Ruby, .NET, Java/JVM, Elixir, static-site targets |
| Site builders | Wix, Webflow, Squarespace, Tilda, Duda, Hostinger Website Builder |
| Static / docs generators | MkDocs, Docusaurus, Hugo, Jekyll, VitePress |
| Infrastructure / hosting | Cloudflare, AWS, Vercel, Netlify, GitHub Pages, GitLab Pages, Heroku, Azure, Google Cloud, Fastly, Akamai, Hostinger, DDoS-Guard, Tencent Cloud |
| Infrastructure / servers | Nginx, Apache HTTP Server, Microsoft IIS, Caddy, LiteSpeed, lighttpd, Tornado, Gunicorn, Uvicorn, Hypercorn, Waitress, Apache Tomcat, Eclipse Jetty, Envoy, Traefik |
| WAF / anti-bot | Cloudflare, AWS WAF, Azure Front Door, Akamai, Imperva, Sucuri, ModSecurity, DataDome, Kasada, F5 BIG-IP ASM |
| Security headers | HSTS presence, max-age, includeSubDomains, preload directive, local preload readiness |
Full list of supported technologies: Fingerprinting technologies
Run fingerprint detection:
opendoor --host https://example.com --fingerprintAfter the fingerprint pass finishes, OpenDoor prints a compact pre-scan summary before dictionary enumeration starts:
Fingerprint result: cms/WordPress (95%)
Web stack: WordPress | PHP | Cloudflare
Security posture: HSTS preload-ready
Read more:
Recommended for most CLI users:
pipx install opendoorpython3 -m pip install --upgrade opendoorOpenDoor is available in the Arch User Repository:
yay -S opendoorbrew install opendoorOpenDoor is available as an official project Docker image via GitHub Container Registry.
docker pull ghcr.io/stanislav-web/opendoor:latest
docker run --rm ghcr.io/stanislav-web/opendoor:latest --versionRun a scan and write reports to the host:
mkdir -p reports
docker run --rm \
-v "$PWD/reports:/work/reports" \
ghcr.io/stanislav-web/opendoor:latest \
--host https://example.com \
--reports json,html \
--reports-dir reportsOpenDoor is available in BlackArch Linux:
sudo pacman -Syu
sudo pacman -S opendoorgit clone https://github.com/stanislav-web/OpenDoor.git
cd OpenDoor
python3 -m pip install -r requirements.txt
python3 opendoor.py --helpSee the full installation guide.
opendoor --host https://example.comopendoor --host example.com --scan subdomainsopendoor --hostlist targets.txtTarget files may mix URLs, domains, IPv4 addresses, IPv4 CIDR blocks, and inclusive IPv4 ranges:
https://example.com
app.example.com
192.168.1.10
192.168.1.0/24
192.168.1.10-192.168.1.50
cat targets.txt | opendoor --stdinThe same mixed target format is supported through STDIN.
opendoor \
--host https://example.com \
--method GET \
--auto-calibrate \
--include-status 200-299,301,302,403 \
--exclude-status 404,429,500-599 \
--exclude-size-range 0-256 \
--sniff skipempty,collation,indexof,file,stacktrace \
--reports std,json,csv,sarifResponse sniffers classify interesting response bodies during discovery. They are useful when status code and size are not enough to understand what was found.
opendoor \
--host https://example.com \
--method GET \
--sniff stacktrace,indexof,file,collation \
--reports std,json,csv,html,sqlite,sarifUseful sniffers include:
| Sniffer | Purpose |
|---|---|
stacktrace |
Detect exposed debug/runtime stack traces and internal error details. Findings are reported under the debug bucket with debug_detection metadata. |
indexof |
Detect directory listing pages. |
file |
Detect known sensitive file exposure patterns. |
collation |
Detect database collation / SQL error responses. |
skipempty |
Skip empty responses. |
skipsizes=46 |
Skip responses with exact known noisy sizes. |
skipsizes=46:1024 |
Skip responses inside a noisy size range. |
Body-dependent sniffers automatically force GET internally when the configured method is HEAD.
Read more: Sniffers reference
opendoor \
--raw-request request.txt \
--scheme https \
--method GET \
--auto-calibrate \
--reports json,html,sqlite,sarifopendoor \
--host https://example.com \
--waf-safe-mode \
--timeout 60 \
--retries 5 \
--delay 0.5Use this only on systems you are authorized to test. The feature is opt-in and probes blocked resources with controlled temporary headers and safe path variants.
opendoor \
--host https://example.com \
--method GET \
--waf-detect \
--header-bypass \
--header-bypass-limit 32 \
--reports std,json,csv,sarif,sqliteWhen --header-bypass is enabled, OpenDoor first tries configured header-injection variants and then safe path-manipulation variants such as trailing slash, dot segment, semicolon suffix, case variation, and URL-encoded segment. Customize trigger statuses, trusted IP values, and headers:
opendoor \
--host https://example.com \
--method GET \
--header-bypass \
--header-bypass-status 401,403 \
--header-bypass-ips 127.0.0.1,10.0.0.1 \
--header-bypass-headers X-Original-URL,X-Rewrite-URL,X-Forwarded-For,X-Real-IP \
--reports json,html,sqlite,sarif,csvUse a single explicit proxy:
opendoor --host https://example.com --proxy socks5://127.0.0.1:9050Use the bundled rotating proxy pool:
opendoor --host https://example.com --proxy-poolUse a custom rotating proxy list:
opendoor --host https://example.com --proxy-list proxies.txtopendoor \
--host https://example.com \
--transport openvpn \
--transport-profile ./profile.ovpnIf OpenVPN is installed outside PATH, pass the backend explicitly:
opendoor \
--host https://example.com \
--transport openvpn \
--transport-profile ./profile.ovpn \
--transport-bin /opt/homebrew/sbin/openvpnOn Windows, --transport-bin can point to C:\Program Files\OpenVPN\bin\openvpn.exe. If a GUI client or corporate VPN agent already owns the tunnel, start that VPN outside OpenDoor and run OpenDoor in direct mode.
opendoor \
--host https://example.com \
--transport wireguard \
--transport-profile ./profile.confMore examples:
- Basic scans
- Batch scans
- Authenticated scans
- WAF-safe scans
- Header-bypass scans
- VPN transport scans
- CI/CD examples
OpenDoor can export findings as SARIF 2.1.0 for GitHub Code Scanning and SARIF-compatible security pipelines.
opendoor \
--host https://example.com \
--reports sarif,json \
--reports-dir ./reportsGitHub Actions upload example:
- name: Upload OpenDoor SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: reports/example.com/example.com.sarif
category: opendoorThe full documentation is available on ReadTheDocs:
- Home
- Quickstart
- Installation and update
- Usage guide
- Target input
- Reports
- Fingerprinting
- WAF detection and safe mode
- Header Injection Bypass
- Auto-calibration
- Network transports
- OpenVPN transport
- WireGuard transport
- Practical examples
- Testing
- Contribution
Install development dependencies:
python3 -m venv .venv
source .venv/bin/activate
python -m pip install --upgrade pip setuptools wheel
python -m pip install -r requirements-dev.txt
python -m pip install -e .Run tests:
python -m unittestRun coverage:
coverage run -m unittest discover -s tests -p "test_*.py"
coverage report -mBuild documentation:
python3 -m venv .docs-venv
source .docs-venv/bin/activate
python -m pip install -r docs/requirements.txt
python -m mkdocs build --strictBuild package artifacts:
python -m buildSee the full testing guide and contribution guide.
Do not commit real secrets or private transport profiles.
Never publish:
- real OpenVPN profiles;
- WireGuard private keys;
- auth-user-pass files;
- cookies;
- bearer tokens;
- customer target lists;
- private scan reports;
- sensitive CI artifacts.
Use placeholder examples only.
OpenDoor is a security testing tool.
Use it only against systems you own or have explicit permission to test.
Features such as WAF detection, WAF-safe scanning, raw request replay, transport profiles, and Header Injection Bypass probes are intended for authorized security testing, defensive validation, and exposure regression checks.
The project does not grant permission to scan third-party systems, organizations, commercial services, or public infrastructure without authorization.
See CHANGELOG.md and GitHub Releases.
Pull requests are welcome.
Before contributing, read the contribution guide and run the relevant tests. OpenDoor improves through code contributions, documentation updates, testing, issue reports, security feedback, feature ideas, and community validation. Thanks to everyone who has helped improve the project.
OpenDoor is released under the GNU General Public License v3.0 only.
See LICENSE.
If OpenDoor helps your authorized security work, you can support ongoing maintenance through Giveth.
