Fingerprint

Fingerprint is Hugin’s passive technology detection. It analyses HTTP headers, cookies, and response bodies to identify the web server, application framework, CMS, JavaScript libraries, CDN, WAF, and language runtime in use on every host.

No active probing — runs entirely on already-captured traffic. Useful for scoping (which CVEs apply?), targeting (which payloads will work?), and reporting (what stack is the customer running?).

🔗What It Detects

🔗Servers & Runtimes

  • Web servers (Apache, nginx, IIS, Caddy, Cloudflare, etc.)
  • App servers (Tomcat, Jetty, Gunicorn, Puma, Passenger, etc.)
  • Language runtimes (PHP, Node.js, Python, Ruby, Java, .NET, Go) including version when leaked

🔗Frameworks & CMS

  • Backend frameworks (Laravel, Django, Flask, Rails, Spring, Express, ASP.NET, etc.)
  • Frontend frameworks (React, Vue, Angular, Next.js, Nuxt, Svelte, etc.)
  • CMS (WordPress, Drupal, Joomla, Magento, Shopify, etc.) including version when fingerprintable
  • E-commerce platforms (WooCommerce, BigCommerce, etc.)

🔗JavaScript Libraries

  • jQuery, Lodash, Bootstrap, Moment.js, Underscore, Axios, etc.
  • Detected from script src URLs, inline globals, and known fingerprint patterns
  • Version captured when present in URL or globals

🔗CDN & WAF

  • CDNs: Cloudflare, Akamai, Fastly, CloudFront, Azure CDN, Bunny, KeyCDN, etc.
  • WAFs: Cloudflare WAF, Imperva, Akamai BMP, AWS WAF, Sucuri, Wordfence, ModSecurity, F5 ASM, Barracuda, etc.

🔗Database / API / Authentication

The full category list (per the categories MCP action): webserver, language, framework, cms, cdn, waf, database, api, javascript, authentication. Each has its own signature set; query signatures to see all matchers.

🔗Detection Sources

Each fingerprint signature is matched against:

  • Response headers (Server, X-Powered-By, X-AspNet-Version, Set-Cookie names, etc.)
  • Response body patterns (meta tags, comments, framework-specific HTML structures)
  • Cookies (session cookie names, framework-specific patterns)
  • JavaScript globals detected via response analysis
  • File paths in URLs (e.g., /wp-content/, /typo3conf/)

🔗Confidence Scoring

Each detected technology gets a confidence score between 0 and 1, computed as match_count / flows_with_responses. Detections with multiple matching flows score higher than one-off matches. Results are sorted by confidence descending so the most-supported technologies surface first.

🔗Recommendations Engine

The Recommend action (per-host) outputs a prioritised list of recommended scans and payload sets based on the detected stack:

  • “WordPress 5.x detected → run wp-scan plugin enumeration, focus on stored XSS in admin”
  • “ASP.NET ViewState detected → check for unsigned/unencrypted ViewState”
  • “Spring framework detected → SpEL injection candidates, check Actuator exposure”
  • “AWS CloudFront with origin header → host header injection candidates”

🔗Security Headers View

The Security Headers sub-view aggregates header presence/absence across all hosts:

  • HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
  • Per-host scorecard (which headers are present)
  • Aggregate stats (% of hosts missing each header)

Useful for quick scope-wide posture summaries.

🔗Profile View

Per-host Profile card showing all detected technologies with versions, confidence, and last-verified timestamp. Click any signature to see the evidence (which response, which header, which line).

🔗MCP

The fingerprint MCP tool exposes:

  • categories — list signature categories
  • signatures — list all signatures (or filter by category)
  • security_headers — security header analysis for a host
  • recommend — prioritised scan recommendations for a host
  • analyze_headers — analyse a single response’s headers
  • profile — full tech profile for a host

Combine with the Intelligence tool to chain “fingerprint host → recommend scans → execute”.