WhichCDN: How to automate CDN detection



Hi fellas,

First of all, I wanted to apologize for my lack of activities the last month. Indeed, I was overwhelmed by my work and my training for my OSCP certification which was quite time consuming :cold_sweat:

By the same token, would you be interested in my feedback about OSCP?

  • Yes
  • No

0 voters

Well, today article is going to be focused on my last project, whichCDN.

As you already know, the recon phase is primordial and determine if your attempts to access the targeted system will be successful.

A multitude of tools allows performing ports scan, DNS enumeration, CMS detection and various other types of assessments. However, none of those allow you to easily and efficiently detect if a given website is protected by a CDN (Content Delivery Network).

CDNs become more and more popular those days and provide features to shield websites against numerous types of attacks such as:

  • Denial of Service
  • Distributed Denial of Service
  • Distributed Reflection Denial of Service
  • XSS, SQLI through WAF (Web Application Firewall)

Among those security measures, they allow to speed up the loading of your website by improving the cache system, load balancing, browser optimization, JavaScript minimization, etc.

CDNs are a real challenge for pentesters / hackers which often hide the target’s real address, preventing any further system based attacks. Its detection will result in a gain of time, avoiding unnecessary assessments.

WhichCDN implements five methods detection:

Whois Detection

CDNs could impact the whois command results by changing several fields e.g. Name Server, nserver, etc.

Error Server Detection

A few CDNs disclose information when we try to directly access the IP address resolved by the host command, exposing themselves.

HTTP header Detection

Some CDNs could be quite intrusive and modify the HTTP header by adding or replacing existing fields which allow detecting their presence.

DNS Detection

When resolving the DNS of a given domain name, it is common to find the name server associated to the CDN in place.

Subdomain Detection

Big companies often use a subdomain to configure their CDN, by trying to access such subdomain, it is possible to determine which technology is used.

Let’s try it on 0x00sec


whichCDN http://example.com | example.com

As you can see on the picture above, 0x00sec.org is protected by Cloudflare. It is just as simple as that.

Supported CDNs

  • Cloudflare
  • Incapsula
  • Cloudfront
  • Akamai
  • Airee
  • CacheFly
  • EdgeCast
  • MaxCDN
  • Beluga
  • Limelight
  • Fastly
  • Myracloud
  • Microsft Azure

Axes of improvement

I don’t know yet if it is possible to bypass such security measures but once done, it would be awesome to add attack vectors to work around those filtration systems.

Moreover, I would like to populate the list of supported CDN with other service providers such as:

  • Azion
  • ArvanCloud
  • Beluga
  • DN77
  • CDNetwork
  • CDNsun
  • CDNvideo
  • ChinaCache
  • ChinaNetCenter
  • Highwinds
  • KeyCDN
  • Level3
  • Quantil
  • SkyparkCDN
  • Verizon Digital Media services
  • Turbobyte


Don’t hesitate to contribute to this project if you are aware of other ways to detect CDNs. Lastly, feel free to contact me if you know websites using a specific type of CDN that is not supported yet!

I hope that you enjoyed this article.



Nice script, and it’s written in the most holy language! Well done.



A new detection method has been added: WhoisDetection

(Command-Line Ninja) #4

I’d be interested to do some statiscal research on major sites on the Alexa rank to see what CDNs are most common.

Could use this script!


Hi guys, a quick update to inform you that whichCDN seems to have been added to blackarch. I must admit that I’m quite proud of it.

Have a good day.


Congrats man :slight_smile: proud of you @Nitrax

(Hardware Bias!) #7

This should be included in the next Kali release.



I will try to submit this idea to Kali maintainers :slight_smile: