This plugin fingerprints the remote web server and tries to determine the server type, version and patch level. It uses fingerprinting, not just the Server header returned by remote server. This plugin is a wrapper for Dustin Lee’s hmap. One configurable parameters exist:

  • genFpF

If genFpF is set to True, a fingerprint file is generated. Fingerprint files are used to identify web servers, if you generate new files please send them to the w3af-develop mailing list so we can add it to the framework. One important thing to notice is that hmap connects directly to the remote web server, without using the framework HTTP configurations (like proxy or authentication).

Plugin type



Name Type Default Value Description Help
genFpF boolean False Generate a fingerprint file. Define if we will generate a fingerprint file based on the findings made during this execution.


For more information about this plugin and the associated tests, there’s always the source code to understand exactly what’s under the hood:
github-logoPlugin source code
Unittest source code


This plugin depends on infrastructure.server_header.