Frequently Asked Questions
Common questions about HTTP-Basma, the fingerprinting algorithm, and this web application.
What is HTTP-Basma?
HTTP-Basma is a novel active fingerprinting algorithm that unveils unique server profiles through a multi-layered approach. It works by sending 8 specially crafted HTTP requests with varying requirements to elicit different responses from the server. Once the server response is retrieved, the HTTP status line is surgically dissected for all elements and encoded optimally. Additionally, select headers from the server response are checked for encoding as well.
In "HTTP-Basma", the term/word Basma comes from the Arabic word for fingerprint, written as بصمة.
What is a verbosus fingerprint, and what is a pacto fingerprint?
- Verbosus fingerprint: is the final hash generated by the algorithm to identify a given HTTP server. It is 38 bytes (38 bytes in binary and 76 characters in plaintext) in length, and reversible. It's modular design philosophy treats each request fingerprint as a building block, allowing for elegant refactoring, with the possibility to add and subtract the fingerprint of any request. The first byte 0x01 is the version number of the verbosus algorithm.
For example, on May 28, 2026, the verbosus fingerprint for https://www.google.com over port 443 with SSL/TLS enabled is: 01140a85e4001320958a22142494d62214254c5e2214254c5e22080014254c5e220000000000
- Pacto fingerprint: is a 16-byte (16 bytes in binary and 32 characters in plaintext) one-way hash, derived from verbosus, enhancing privacy and security. It is derived by first calculating the SHA-256 hash of the verbosus fingerprint (excluding its version byte) and then taking the first 15 bytes of that hash. The first byte 0x02 is the version number of the Pacto algorithm.
For example, the pacto fingerprint for 01140a85e4001320958a22142494d62214254c5e2214254c5e22080014254c5e220000000000 is: 0202be780e1eaae0eaa6184e20c909b6
Can I come up with my own Verbosus and Pacto fingerprints?
Yes, you can, and that's the whole idea behind the design philosophy of the algorithm. You may come up with your own hashing algorithm for the pacto fingerprint, and your own building blocks for the verbosus fingerprint. Just make sure to assign a different version number to distinguish yours from the standard ones.
Where can I find more information about the HTTP-Basma algorithm?
The details of the algorithm, design, tooling and examples are documented in the paper Adaptive Fingerprinting: HTTP-Basma's Multi-Stage Probing for Granular Server Differentiation.
Where is the source code and is there a compiled version that I can download to test it locally on my own?
The tool HTTP-Basma is written in C++, and the source code is available on GitHub.
Compiled Windows and Linux x64 versions of the public code in this repository.
Is it safe to fingerprint any public server?
Yes, but remember it is an active fingerprint and not a passive one. Eight consecutive requests are sent to the target server from the same source IP address. With that in mind, the server might respond with "Too Many Requests" if attempting to fetch the fingerprint of the server more than once in a short period of time.
How reliable is the fingerprint?
It depends. If the target server is behind a proxy, a load balancer, or some other type of front end web server, then the fingerprint represents the first server it hits.
Sometimes, you might get two different fingerprints in a short period of time. Why? Remember that the last two bytes (4 characters) in the verbosus fingerprint encode the connection header from the server response for the probes P2-P5 and P7, and the state of this header tend to change as you query the server multiple times. However, feel free to drop the last block, the connection header block, from the fingerprint, to attain a reliable fingerprint. On the other hand, some servers (C&C) hardcode the connection header state, and it doesn't change. Know when to keep it and when to drop it, based on your use-case.
Furthermore, some HTTP servers might respond differently when sending the same request repeatedly, as detailed in the paper, in the "Experimentation" section ("Observations"), page 27.
What's the Proxy section for in the Fingerprint tab?
By default, HTTPBasma backend fingerprints the target server from the hosting server. The proxy section allows any user to specify their own proxy settings to optionally route the fingerprint probes through an HTTP/SOCKS proxy.
When fetching a server fingerprint, what exactly is the 'headers hash' shown in the Compact and Full outputs?
The "headers hash" you see per probe is an experimental fingerprinting algorithm for the response headers and included for comparison purposes. In a nutshell, it is the FNV-1a hash of some headers in the server response. The specifics of this algorithm are documented in the paper, under the "Tool - HTTP-Basma" section, page 24.
What's the DATABASE MATCH on the Fingerprint tab and the DB Match tab?
This feature exposes the Majestic top 1-million website fingerprints. If checked, it'll search the database for servers that match this verbosus fingerprint. It returns a list of the matching servers, up to the value in the LIMIT box. There's an upper limit in the backend with regards to how many matching entries are returned to the user (50). The "TOTAL MATCHES IN DATABASE" box, shows the actual total number of matches in the database. The DATE and TIME columns show when the P1 fingerprint was fetched.
Do I have to tag every server/domain I submit for fingerprinting?
No, tagging is optional, but it is highly recommended. When you enable the Save result to database option in the Save to Database section of the Fingerprint tab, the TAGS input field becomes available. Applying tags allows you to easily cluster, categorize, and search through collected domains, for example, by tagging a domain with a specific APT actor name if its affiliation is known. You can query these tags directly within the Search tab.
Are my fingerprint queries stored anywhere?
Yes, this feature is optional (checked by default). In the Fingerprint tab, the Save to Database section allows you to store and tag the full results of a server or domain fetch operation. These results are saved on Netomize’s servers and become searchable and viewable for all users via the Search and Recent tabs.
Can I run HTTP-Basma against my own server in production?
Yes, the tool doesn't send any malformed packets/requests that will break the server. You can capture the HTTP traffic in Wireshark.
How can I report a bug or suggest a feature?
Open an issue or a pull request on the official GitHub repository of the tool.