FixVibe

// discovery / spotlight

Technology Fingerprinting

Knowing your stack is half the recon — outdated frameworks turn that into the other half.

Il gancio

Recon is the first phase of every targeted attack and most opportunistic ones. Tools like Wappalyzer, BuiltWith, and Shodan scan the public internet continuously, mapping which sites run which stacks at which versions. The attacker's worflow: filter for 'sites running vulnerable WordPress 5.x' or 'sites with exposed Spring Boot Actuator', then mass-exploit. Fingerprint defense doesn't prevent attacks, but it raises the cost — the attacker has to probe individually rather than pulling targets from a pre-built database. Combined with prompt patching, fingerprint reduction means the only attackers who reach your stack are the ones already specifically interested.

Come funziona

Frameworks leak identity through several channels. Response headers — `X-Powered-By: PHP/8.1.0`, `Server: Apache/2.4.41`, `X-Aspnet-Version: 4.0.30319`, `X-Generator: Drupal 9` — are the most direct. Distinctive cookie names — `PHPSESSID`, `JSESSIONID`, `wordpress_logged_in_*`, `connect.sid` — give away the language and framework. Characteristic URL patterns: `/wp-admin/`, `/_next/`, `/_nuxt/`, `/__nextjs_original-stack-frame`, `/static/django-admin/`, `/api/v1/_health` for FastAPI defaults. JS framework signatures inside the bundle — `__NEXT_DATA__`, Vue's hydration markers, the React DevTools hook. CDN signatures via headers like `cf-ray` (Cloudflare), `x-vercel-id` (Vercel), `x-amz-cf-id` (CloudFront). Each one is a small leak; together they map the stack precisely.

Il raggio d'azione

Maps your deployment to known CVEs in seconds. An outdated WordPress version surfaces a list of public exploits ranked by severity and exploitation maturity. An old Spring Boot version is potentially Spring4Shell-class RCE. Knowing your edge CDN is knowing which WAF rules to tunnel through (every WAF has known bypasses; targeted attackers research yours specifically). Combined with the CVE-lookup check, fingerprinting is the input that makes targeted exploitation efficient.

// cosa controlla fixvibe

Cosa controlla FixVibe

FixVibe maps externally visible application surfaces with passive signals and safe metadata checks. Reports summarize the exposed surface and remediation priorities. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Difese a prova di bomba

Strip version banners from response headers. Most servers and frameworks ship with an option: nginx `server_tokens off`, Apache `ServerTokens Prod` and `ServerSignature Off`, Express `app.disable('x-powered-by')`, ASP.NET MVC's `<httpRuntime enableVersionHeader='false' />`, Django's `SECURE_BROWSER_XSS_FILTER` and related. Don't expose framework defaults that broadcast identity — `/wp-json/wp/v2/users` listing your editorial team is WordPress doing what WordPress does, but you can disable it. Patch promptly so the version that's identifiable is at least the current one. A CDN with a strong WAF (Cloudflare, AWS Shield, Fastly) helps mask origin identity from drive-by scanners. Audit your bundle for inline references to your stack — many SaaS apps unintentionally include `vite.config.ts` paths or webpack plugin names in error messages. None of these alone is impactful; together they reduce the surface meaningfully.

// run it on your own app

Continua a spedire mentre FixVibe vigila per te.

FixVibe mette sotto pressione la superficie pubblica della tua app come farebbe un attaccante — senza agent, senza installazione, senza carta. Continuiamo a studiare nuovi pattern di vulnerabilità e li trasformiamo in controlli pratici e fix pronti da incollare in Cursor, Claude e Copilot.

Discovery
142
test eseguiti in questa categoria
modules
23
controlli dedicati a discovery
ogni scansione
487+
test su tutte le categorie
  • Gratis — senza carta di credito, senza installazione, senza ping su Slack
  • Incolla un URL — pensiamo noi a crawl, sonde e report
  • Risultati classificati in base alla gravità, deduplicati solo per segnalare
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Esegui una scansione gratuita

// latest checks · practical fixes · ship with confidence

Technology Fingerprinting — Vulnerabilità in primo piano | FixVibe · FixVibe