Using Favicon Hashing for Continuous Monitoring

Sunday, October 25, 2020 • 2 minutes to read


I started listening to the Cloud Security Podcast this past month. Great digestible interviews with security professionals from different fields. This episode really caught my attention when they discussed bug bounty hunters using a continuous monitoring technique involving favicon hashes.

What’s a favicon: A favicon is the tiny logo you see in the tab section of your browser. For instance you should (if on a desktop browser) see this little egg t0o0tz Favicon next to the title of this page. Favicon on Chrome most favicons have the file extension .ico. Go ahead and type in your favorite website followed by the path /favicon.ico or just check out these links to get an idea

What can we do with this: By calculating the hash we can use a search engine like (our search would like something like this -> http.favicon.hash:"OUR HASH HERE") to scour the internet for devices that serve our favicon. We can do this with a simple python script. Even better, there’s a great tool FavFreak developed by Devansh Batham which provides domains, subdomains, and IPs of our selected hash.

Why is this a useful technique: It makes sense that the cloud security podcast would bring up this technique when talking about continuous monitoring. We could use this technique to locate devices associated with “our brand” which should not be externally facing, or should be decommissioned. This is also valuable when monitoring for phishing websites or fraudulent IPs posing as “our brand”


Fixing My Canon Sure Shot Supreme

What I've Learned About Photography in the Past Month-ish

comments powered by Disqus