XowiaScan
Home Tools Pricing API Docs About Sign in Get started
← All tools

Owner Footprint

Recon & Discovery

Map every web asset an organisation owns — analytics IDs, favicon hash, reverse-IP and reverse-WHOIS pivots in one pass.

What is Owner Footprint?

Owner Footprint surfaces other web properties that probably belong to the same entity as a given domain. It pulls together every passive signal that survives modern WHOIS redaction: analytics & ad tracking IDs scraped from the homepage HTML, the favicon’s mmh3 hash (Shodan pivot), reverse-IP DNS, and one-click pivots into the reverse-WHOIS and analytics-correlation services testers actually use.

The strongest signal is the analytics ID. Owners typically reuse the same Google Analytics, GTM, AdSense, Facebook Pixel, Hotjar, Yandex or LinkedIn IDs across every site they run — so a single UA-12345-6 often unlocks a whole portfolio of sibling domains via PublicWWW / SpyOnWeb / DNSlytics. Reverse-IP is also returned, but the tool clearly flags when the IP looks like shared hosting / a CDN so you don’t treat noise as confirmation.

Everything is passive: we make one homepage fetch (SSRF-guarded, no body-bypass redirects), one favicon fetch, and one query each to public APIs (HackerTarget reverse-IP, Team Cymru ASN, optionally crt.sh for cert-subject pivots). No active scanning ever leaves our servers.

What it surfaces

  • Analytics & ad tracking IDs — Google Analytics (UA / G), GTM, AdSense, Facebook Pixel, Hotjar, Yandex Metrica, Mixpanel, Segment, Microsoft Clarity, LinkedIn Insight, Twitter Ads, TikTok, Pinterest, Quantcast, Adobe Analytics, Optimizely, Disqus, Crazy Egg, Matomo, Wistia — with one-click pivots to PublicWWW, SpyOnWeb, DNSlytics, BuiltWith and HackerTarget.
  • Favicon mmh3 hash — Shodan-compatible; click through to find every other host serving the same favicon.
  • Reverse-IP — co-hosted hostnames on the target’s IP (via HackerTarget’s public API), with a shared-hosting / CDN heuristic so you know when the result is noise.
  • ASN & country — Team Cymru over DoH, so you know who hosts the target.
  • Reverse-WHOIS pivots — ViewDNS, Whoxy, DNSlytics, SecurityTrails, crt.sh org-subject and reverse-NS, opened in a new tab.
  • CT-log subject pivot (lazy) — foreign hostnames that share certificates with the target, pulled from crt.sh on demand.

Where it fits in your workflow

  • Expand bug-bounty scope by finding the same program’s other properties via shared analytics IDs.
  • Pivot from a single in-scope domain to the org’s entire web footprint before reporting.
  • Find staging / mirror / sibling sites via favicon hash + Shodan.
  • Correlate tracking IDs across acquisitions or rebranded properties.
Use Owner Footprint

Run it from your dashboard.

Create free account Sign in Use via API

At a glance

CategoryRecon & Discovery
RunsServer-side
Token cost 4 / run (free tier)
AccessPro
Status● Live

Frequently asked questions

Why is reverse-IP unreliable?

Shared hosting and CDNs put many unrelated customers behind one IP. Reverse-IP gives you a candidate list, not a confirmed-owner list. We flag shared-hosting-looking IPs and recommend you correlate with the tracking-ID pivots above.

Why is reverse-WHOIS just a link?

Reliable reverse-WHOIS requires a paid data feed (most registrars redact under GDPR). We send you to the public free services so you can run that pivot yourself with the right query already in the URL.

Does this scan the target?

No. We fetch the homepage and the favicon (SSRF-guarded), query passive third-party APIs (DoH / Cymru / HackerTarget / crt.sh) and hand you the rest as pivot links. No active scanning leaves our servers.

Why no IDs found on my site?

Tags are often present only on inner pages (about, contact, blog). Try a deeper URL than the homepage, or run our Robots / Sitemap Harvester first to find a page that does carry the tag.

Explore more tools →