BIPI
BIPI

HTTP Fingerprinting for Bug Bounty: Tech Stack Triage at Scale

Cybersecurity

Turn thousands of live hosts into a ranked target list. Use httpx, nuclei, and wappalyzer to fingerprint stacks fast and pick fights you can win.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 9, 2023 · 8 min read

#bug-bounty#recon#httpx#fingerprinting#nuclei

Why fingerprinting matters

After enumeration you have a wall of hosts. Half are CDN fronts, a quarter are static marketing, and the rest are where bugs live. Fingerprinting is how you cut the list down to where your time pays.

First pass with httpx

  • httpx -l hosts.txt -title -tech-detect -status-code -cdn -json
  • Save JSON, not just stdout, so you can filter later
  • Run on both 80 and 443, and on common dev ports if scope allows
  • Use -follow-redirects sparingly, redirects often mask the real stack

The output gives you title, technologies, status code, and CDN tag in one pass. Sort by tech. Group hosts by framework. The clusters are your candidate buckets.

Triage by stack

  1. Tomcat, JBoss, WebLogic clusters go to a Java vuln checklist
  2. PHP CMS hosts go to a CMS specific checklist with version notes
  3. GraphQL endpoints get tagged for introspection and depth testing
  4. Anything tagged Jenkins, Grafana, or Kibana gets flagged for default creds

Favicon hashing

Compute the mmh3 hash of /favicon.ico and pivot through Shodan. Identical favicons across a fleet often mean shared admin panels, shared codebases, and shared bugs. This single trick has paid for itself many times over for hunters who use it.

Run nuclei early, but quietly

nuclei against your live hosts with the tech tag matched to your fingerprint output finds known issues fast. Keep the rate low, respect program rules, and skip templates that submit forms. The goal is signal, not noise.

Stats that guide focus

20 percent
of hosts hold 80 percent of bugs
5 buckets
by stack is usually enough
Top 10
hosts get manual review first

Manual review still wins

  • Open the top scoring hosts in a browser, do not skip this
  • Read the JS, look for the framework's signature patterns
  • Check robots.txt and sitemap.xml on every candidate
  • Note any custom auth flow, those are usually buggy
Fingerprinting is not the bug. Fingerprinting tells you where the bug probably is so you can stop scrolling and start hunting.

Feed the loop

Every interesting fingerprint should land in your notes, indexed by host and stack. Next time a new CVE drops for Confluence or Spring or whatever, you have a one minute grep across your entire target portfolio. That is leverage.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.