What is Login Fingerprinting?

Login fingerprinting identifies what software or platform powers a login page without needing to authenticate. Scanners analyse characteristics like page titles, form field names, CSS classes, JavaScript libraries, HTTP response headers, and favicon hashes to determine whether a login page belongs to WordPress, Jenkins, Grafana, cPanel, or thousands of other products.

How login fingerprinting works

Each management interface has distinctive traits:

  • Page titles - Jenkins returns “Dashboard [Jenkins]”, Grafana returns “Grafana” or a custom title with identifiable HTML structure
  • Favicon hashes - Shodan indexes favicon hashes (MurmurHash3), letting analysts search for specific products across the internet
  • HTTP headers - Server headers, framework-specific headers (e.g., X-Jenkins), and cookie names reveal the backend technology
  • Form structure - WordPress uses wp-login.php with specific input names; phpMyAdmin has a distinctive form layout

Why fingerprinting matters

Knowing the software behind a login page determines the risk:

  • Which default credentials to test
  • Which CVEs apply to that software version
  • What level of access a compromised login provides

EASM tools use login fingerprinting to classify exposed panels by type and severity. SurfaceLoop fingerprints detected login pages to report exactly which product is exposed, not just that a login page exists.

Map your attack surface - first scan free