.github | ||
cmd/httpx | ||
common | ||
runner | ||
scripts | ||
static | ||
.gitignore | ||
.goreleaser.yml | ||
Dockerfile | ||
go.mod | ||
go.sum | ||
LICENSE.md | ||
Makefile | ||
README.md |
Features • Installation • Usage • Running httpx • Notes • Join Discord
httpx is a fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.
Features
- Simple and modular code base making it easy to contribute.
- Fast And fully configurable flags to probe mutiple elements.
- Supports multiple HTTP based probings.
- Smart auto fallback from https to http as default.
- Supports hosts, URLs and CIDR as input.
- Handles edge cases doing retries, backoffs etc for handling WAFs.
Supported probes:-
Probes | Default check | Probes | Default check |
---|---|---|---|
URL | true | IP | true |
Title | true | CNAME | true |
Status Code | true | Raw HTTP | false |
Content Length | true | HTTP2 | false |
TLS Certificate | true | HTTP 1.1 Pipeline | false |
CSP Header | true | Virtual host | false |
Location Header | true | CDN | false |
Web Server | true | Path | false |
Web Socket | true | Ports | false |
Response Time | true | Request method | false |
Installation Instructions
httpx requires go1.14+ to install successfully. Run the following command to get the repo -
GO111MODULE=on go get -v github.com/projectdiscovery/httpx/cmd/httpx
Usage
httpx -h
This will display help for the tool. Here are all the switches it supports.
👉 httpx help menu 👈
-H value
Custom Header
-allow value
Allowlist ip/cidr
-body string
Content to send in body with HTTP request
-cdn
Check if domain's ip belongs to known CDN (akamai, cloudflare, ..)
-cname
Output first cname
-content-length
Extracts content length
-content-type
Extracts content-type
-csp-probe
Send HTTP probes on the extracted CSP domains
-debug
Debug mode
-deny value
Denylist ip/cidr
-exclude-cdn
Skip full port scans for CDNs (only checks for 80,443)
-extract-regex string
Extract Regex
-fc string
Filter status code
-filter-regex string
Filter Regex
-filter-string string
Filter String
-fl string
Filter content length
-follow-host-redirects
Only follow redirects on the same host
-follow-redirects
Follow Redirects
-http-proxy string
HTTP Proxy, eg http://127.0.0.1:8080
-http2
HTTP2 probe
-include-chain
Show Raw HTTP Chain In Output (-json only)
-include-response
Show Raw HTTP Response In Output (-json only)
-ip
Output target ip
-json
JSON Output
-l string
File containing domains
-location
Extracts location header
-match-regex string
Match Regex
-match-string string
Match string
-mc string
Match status code
-method
Display request method
-ml string
Match content length
-no-color
No Color
-no-fallback
If HTTPS on port 443 is successful on default configuration, probes also port 80 for HTTP
-no-fallback-scheme
The tool will respect and attempt the scheme specified in the url (if HTTPS is specified no HTTP is attempted)
-o string
File to write output to (optional)
-path string
Request path/file (example '/api')
-paths string
Command separated paths or file containing one path per line (example '/api/v1,/apiv2')
-pipeline
HTTP1.1 Pipeline
-ports value
ports range (nmap syntax: eg 1,2-10,11)
-probe
Display probe status
-random-agent
Use randomly selected HTTP User-Agent header value (default true)
-rate-limit int
Maximum requests to send per second (default 150)
-request string
File containing raw request
-response-in-json
Show Raw HTTP Response In Output (-json only) (deprecated)
-response-size-to-read int
Max response size to read in bytes (default - unlimited)
-response-size-to-save int
Max response size to save in bytes (default - unlimited)
-response-time
Output the response time
-resume
Resume scan using resume.cfg
-retries int
Number of retries
-silent
Silent mode
-sr
Save response to file (default 'output')
-srd string
Save response directory (default "output")
-stats
Enable statistic on keypress (terminal may become unresponsive till the end)
-status-code
Extracts status code
-store-chain
Save chain to file (default 'output')
-tech-detect
Perform wappalyzer based technology detection
-threads int
Number of threads (default 50)
-timeout int
Timeout in seconds (default 5)
-title
Extracts title
-tls-grab
Perform TLS data grabbing
-tls-probe
Send HTTP probes on the extracted TLS domains
-unsafe
Send raw requests skipping golang normalization
-verbose
Verbose Mode
-version
Show version of httpx
-vhost
Check for VHOSTs
-vhost-input
Get a list of vhosts as input
-web-server
Extracts server header
-websocket
Prints out if the server exposes a websocket
-x string
Request Methods, use ALL to check all verbs ()
Running httpX
Running httpx with stdin
This will run the tool against all the hosts and subdomains in hosts.txt
and returns URLs running HTTP webserver.
▶ cat hosts.txt | httpx
__ __ __ _ __
/ /_ / /_/ /_____ | |/ /
/ __ \/ __/ __/ __ \| /
/ / / / /_/ /_/ /_/ / |
/_/ /_/\__/\__/ .___/_/|_| v1.0
/_/
projectdiscovery.io
[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
https://mta-sts.managed.hackerone.com
https://mta-sts.hackerone.com
https://mta-sts.forwarding.hackerone.com
https://docs.hackerone.com
https://www.hackerone.com
https://resources.hackerone.com
https://api.hackerone.com
https://support.hackerone.com
Running httpx with file input
This will run the tool with the probe
flag against all of the hosts in hosts.txt and return URLs with probed status.
▶ httpx -l hosts.txt -silent -probe
http://ns.hackerone.com [FAILED]
https://docs.hackerone.com [SUCCESS]
https://mta-sts.hackerone.com [SUCCESS]
https://mta-sts.managed.hackerone.com [SUCCESS]
http://email.hackerone.com [FAILED]
https://mta-sts.forwarding.hackerone.com [SUCCESS]
http://links.hackerone.com [FAILED]
https://api.hackerone.com [SUCCESS]
https://www.hackerone.com [SUCCESS]
http://events.hackerone.com [FAILED]
https://support.hackerone.com [SUCCESS]
https://gslink.hackerone.com [SUCCESS]
http://o1.email.hackerone.com [FAILED]
http://info.hackerone.com [FAILED]
https://resources.hackerone.com [SUCCESS]
http://o2.email.hackerone.com [FAILED]
http://o3.email.hackerone.com [FAILED]
http://go.hackerone.com [FAILED]
http://a.ns.hackerone.com [FAILED]
http://b.ns.hackerone.com [FAILED]
Running httpx with CIDR input
▶ echo 173.0.84.0/24 | httpx -silent
https://173.0.84.29
https://173.0.84.43
https://173.0.84.31
https://173.0.84.44
https://173.0.84.12
https://173.0.84.4
https://173.0.84.36
https://173.0.84.45
https://173.0.84.14
https://173.0.84.25
https://173.0.84.46
https://173.0.84.24
https://173.0.84.32
https://173.0.84.9
https://173.0.84.13
https://173.0.84.6
https://173.0.84.16
https://173.0.84.34
Running httpx with subfinder
subfinder -d hackerone.com | httpx -title -tech-detect -status-code
__ __ __ _ __
/ /_ / /_/ /_____ | |/ /
/ __ \/ __/ __/ __ \| /
/ / / / /_/ /_/ /_/ / |
/_/ /_/\__/\__/ .___/_/|_|
/_/ v1.0.6
projectdiscovery.io
Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
https://mta-sts.managed.hackerone.com [404] [Page not found · GitHub Pages] [Varnish,GitHub Pages,Ruby on Rails]
https://mta-sts.hackerone.com [404] [Page not found · GitHub Pages] [Varnish,GitHub Pages,Ruby on Rails]
https://mta-sts.forwarding.hackerone.com [404] [Page not found · GitHub Pages] [GitHub Pages,Ruby on Rails,Varnish]
https://docs.hackerone.com [200] [HackerOne Platform Documentation] [Ruby on Rails,jsDelivr,Gatsby,React,webpack,Varnish,GitHub Pages]
https://support.hackerone.com [301,302,301,200] [HackerOne] [Cloudflare,Ruby on Rails,Ruby]
https://resources.hackerone.com [301,301,404] [Sorry, no Folders found.]
📋 Notes
- As default, httpx checks for
HTTPS
probe and fall-back toHTTP
only ifHTTPS
is not reachable. - For printing both HTTP/HTTPS results,
no-fallback
flag can be used. - Custom scheme for ports can be defined, for example
-ports http:443,http:80,https:8443
vhost
,http2
,pipeline
,ports
,csp-probe
,tls-probe
andpath
are unique flag with different probes.- Unique flags should be used for specific use cases instead of running them as default with other flags.
- When using
json
flag, all the information (default probes) included in the JSON output.
Thanks
httpx is made with 🖤 by the projectdiscovery team. Community contributions have made the project what it is. See the Thanks.md file for more details. Do also check out these similar awesome projects that may fit in your workflow:
Probing feature is inspired by @tomnomnom/httprobe work ❤️