Driftnet

API Documentation

Favicon Fingerprints

Overview

Favicons are the small icons displayed to the side of your browser"s address bar, or used as touch icons on some devices.

Driftnet collects Favicons from every web server it encounters.

Searching by Hash or URL

Favicon fingerprints can be looked by SHA1 hash:

Example Request
curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/scan/favicons?sha1=93dd5954bcdc8990bcb0bded60713b10702ee497' \
  | jq . \
  | less -S

...by SHA256 hash:

Example Request
curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/scan/favicons?sha256=6eb6de385e2bde8472be2d52eee4e155e0d63b5ca9fbbd9c73410687a589eddf' \
  | jq . \
  | less -S

...by MD5 hash:

Example Request
curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/scan/favicons?md5=cbc0168713777ee346ab9548f44f4f05' \
  | jq . \
  | less -S

...by Murmur3 (32-bit) hash:

Example Request
curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/scan/favicons?murmur3=613284182' \
  | jq . \
  | less -S

...or by URL (including hostnames within URLs):

Example Request
curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/scan/favicons?field=url:dns.google' \
  | jq . \
  | less -S
Example Response
{
  "page": 0,
  "pages": 18,
  "result_count": 1758,
  "results": [
    {
      "date": "2019-05-13",
      "id": "vA3PVcnJQOqcgr5884j5Lw",
      "items": [
        {
          "context": "",
          "is_metadata": true,
          "type": "url",
          "value": "https://dns.google/static/93dd5954/favicon.png"
        },
        ...

Results are in the same "report" format described in the Internet Scans section.

The scan/favicons endpoint also accepts the page=, from= / to=, filter= and host_in_url= parameters. These work in exactly the same way as described in the Internet Scans section.

To see only the most recent lookup results for a URL, set the most_recent=true parameter.

Retrieving content

To retrieve the content of a specific favicon, find the the item with type obj-sha1 in the return from a scan/favicons call. Take the value of this item, and the date on which it was seen, and then call:

Example Request
curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/scan/favicons/body?hash=93dd5954bcdc8990bcb0bded60713b10702ee497&date=2019-05-13' \
  | jq -rc '.body' | base64 -d \
  > result.png
Example Response
example favicon

On Mac, use base64 -D instead of base64 -d.