What is a Favicon Hash?

A concise technical guide for security researchers and bug bounty hunters.

What is a favicon?

A favicon is the small icon browsers display in tabs and bookmarks. Typically at /favicon.ico but can be declared via HTML <link> tags pointing to PNG, SVG, or ICO files.

What is a favicon hash?

A numeric fingerprint computed from the raw bytes of a favicon. Different algorithms produce different values:

  • MurmurHash3 (MMH3) — used by Shodan, FOFA, ZoomEye. Computed on base64-encoded favicon bytes.
  • MD5 — used by Censys and Validin. Computed on raw bytes.
  • SHA-256 — used by Netlas. Computed on raw bytes.
  • Perceptual hash (phash) — fuzzy matching for visually similar favicons.
  • Difference hash (dhash) — used by VirusTotal.

How is the MurmurHash3 computed?

The exact algorithm Shodan uses:

import mmh3, codecs, requests
r = requests.get("https://example.com/favicon.ico")
b64 = codecs.encode(r.content, "base64")
print(mmh3.hash(b64))  # signed 32-bit int

Key detail: hash is computed on the base64-encoded bytes, not raw bytes.

Why do security researchers use favicon hashes?

Favicon hashes enable passive infrastructure reconnaissance. Since Shodan, FOFA, Censys and others index favicons for every internet-facing host, you can find all hosts sharing the same favicon — mapping an organization's entire internet infrastructure from a single data point.

  • • Organizations reuse the same favicon across dev, staging, and internal tools
  • • CDN-backed hosts often expose origin servers with matching favicons
  • • Forgotten servers still carry the original favicon
  • • Known technology favicons reveal the stack without active scanning
Next: Shodan Favicon Search Try the Hash Generator