Introduction
Favicons are small icons that represent a website. They are natively used by browsers in the title bar to provide a visual cue for the website. They are also one of the most ignored features website developers usually tend to miss while developing or deploying a website.
To give developers a head start, several frameworks and web servers provide their own default favicon. If the developers forget to swap this out, it might not only affect the website’s branding, but it also will give away the tools / technologies used to build the website.
Now I’m not one to advocate for security by obscurity. I believe in flaunting the technologies you use proudly. But more often than not, default favicons being left unchanged usually indicates a lack of attention to finer details. The more negligence you can see in a web application, the more sure you can be of finding a vulnerability in it.
I can has md5sum?
So, how exactly do you fingerprint web applications by using favicons? You request the favicon, compute a cryptographic hash of it and then group similar icons together to see which applications are related. A few common favicons can be found below:
$ md5sum microsoft-favicon.ico # Seems like IIS / ASP
4859e39ae6c0f1f428f2126a6bb32bd9
$ md5sum apache-tomcat-favicon.ico
4644f2d45601037b8423d45e13194c93
$ md5sum plesk-favicon.ico
650b28c6cf1b473aed15ba26bad1da92
Enter OWASP’s favicon database
This kind of information is so easy to collect and so valuable to keep, that OWASP decided to maintain a favicon database of quite a few well-known applications. You can find MD5 hashes for several common favicons there, which can help you quickly identify what technology powers your target website.
Tool: faviconmap
As a practical demonstration, I have written a small Python script that can request any given website’s favicon and search its MD5 hash against a known database of favicons for popular applications.
To run this tool, you can clone the gist and run the favicon_mapper.py
script like so:
git clone https://gist.github.com/mukesh-610/6843589be555d7f6d00622449987215e favicon_mapper
cd favicon_mapper
python favicon_mapper.py https://tomcat.apache.org
Conclusion
Typical web application enumeration methods might not always hit jackpot, and sometimes the devil is in the details. When ideas like looking at the response headers, response body, CSS classes, patterns for typical filenames or URLs fail, using favicon hashes can make a difference. Favicon enumeration for fingerprinting web applications is a valuable addition to any cybersecurity professional’s arsenal.
CTO of Razz Security. I’m passionate about uncovering vulnerabilities and sharing my research with the community. Through this blog, I aim to share my findings, solutions, and insights to help professionals and enthusiasts alike protect their systems and stay ahead of evolving threats.
Leave a Reply