Favicons are the small icons that you see in the browser tab next to the website title or in your bookmarks. For example, the Shodan logo on the left side of the browser tab is the favicon:
They typically contain the logo of the company which gives them 2 functions:
- An easy way to find the tab of a website when you have multiple open tabs.
- A sense of authenticity that the website you're visiting belongs to the right company.
Shodan collects the favicons for websites and stores the information in the
datacontains the image as a base64-encoded string.
hashis the MurmurHash3 of the
dataproperty. The Shodan API has a search filter called
http.favicon.hashto search based on this value.
locationlets you know where the favicon was found. Historically, the
favicon.icofile was located at the root of the web server but it can be put in any arbitrary location by referencing it in the HTML. For example:
html <link rel="icon" type="image/png" href="/assets/favicon-yellow-018213ceb87b472388095d0264be5b4319ef47471dacea03c83ecc233ced2fd5.png" />
At Shodan, we developed the technique of hashing the favicon to make it possible to search across the Internet for identical favicon images. We developed it nearly a decade ago to help with 2 use cases:
- Identify Phishing Websites: bad actors will commonly use the same favicon as the website they're imitating. By searching for the favicon of a company you can identify potential phishing websites.
- Origin IP Disclosure: websites that are hosted behind a CDN (ex. Cloudflare) should restrict access to their web server to only accept connections from the CDN. By searching for the favicon of a website you can confirm that a website has been correctly configured and isn't responding to requests from its origin IP.
The favicon hash is calculated by applying the MurmurHash3 algorithm to the
http.favicon.data property on the banner.
Why MMH3? The key considerations when we developed the technique were speed of the hashing algorithm and size of the resulting hash. We didn't need the cryptographic guarantees of MD5/ etc.
We provide a simple tool called
favscan that calculates the favicon hash given a URL, hostname or local file path.
$ favscan -h
Calculate the favicon hash of a local file, hostname or URL
Usage: favscan [OPTIONS] <LOCATION>
-h, --help Print help
-V, --version Print version
favscan will first look for the favicon in the common
/favicon.ico path and if that fails it will check the frontpage for a
shortcut icon link. The tool is available for download across many platforms:
For example, to get the favicon hash for
google.com you would run:
You can also specify ports as part of the URL:
Or calculate it for a local file:
Lets say we want to find public instances of Gitlab using favicons. We start off by grabbing the favicon hash of a known Gitlab instance:
$ favscan gitlab.com
We then take that hash and use it in a search query of:
The search query can be used on the website, CLI or API. For now, lets just see how many instances there are based on the favicon:
$ shodan count http.favicon.hash:1265477436
And this is what it looks like on the website:
Note: Shodan already fingerprints Gitlab services so you can search for
product:gitlabinstead of using favicons.
- Wikipedia article on the favicon: https://en.wikipedia.org/wiki/Favicon
- Map of Favicons on the Internet: https://faviconmap.shodan.io
- Datapedia entry for