What is httpx?
httpx is a fast and multi-purpose HTTP toolkit made by Project Discovery that allows running multiple probes using the retryablehttp library. It is designed to maintain result reliability with an increased number of threads. httpx can be used to obtain web server information, such as headers, download pages and take screenshots of targets. httpx is perfect for validating http/https servers for large scopes on bugbounty programs or performing asset management / penetration testing.
- What is httpx?
- httpx Installation
- httpx Project Discovery Tutorial
- httpx Supported Probes
- httpx Cheat Sheet
- Real World httpx Examples
- Conclusion
httpx Installation
How to install httpx:
httpx Project Discovery Tutorial
After installation the following simple httpx tutorial will get you up and scanning web servers:
For more options and real world httpx examples see the bottom of this document.
httpx Supported Probes
The type of data httpx can obtain from target web servers:
Probes | Default check | Probes | Default check |
---|---|---|---|
URL | true | IP | true |
Title | true | CNAME | true |
Status Code | true | Raw HTTP | false |
Content Length | true | HTTP2 | false |
TLS Certificate | true | HTTP Pipeline | false |
CSP Header | true | Virtual host | false |
Line Count | true | Word Count | true |
Location Header | true | CDN | false |
Web Server | true | Paths | false |
Web Socket | true | Ports | false |
Response Time | true | Request Method | true |
Favicon Hash | false | Probe Status | false |
Body Hash | true | Header Hash | true |
Redirect chain | false | URL Scheme | true |
JARM Hash | false | ASN | false |
TIP: Take Screenshots with httpx
To take screenshots with httpx use -screenshot
or -ss
httpx Cheat Sheet
httpx Input Commands
COMMAND | DESCRIPTION |
---|---|
|
input file containing list of hosts to process |
|
file containing raw request |
|
input target host(s) to probe |
httpx Probe Commands
COMMAND | DESCRIPTION |
---|---|
|
display response status-code |
|
display response content-length |
|
display response content-type |
|
display response redirect location |
|
display mmh3 hash for '/favicon.ico' file |
|
display response body hash (supported: md5,mmh3,simhash,sha1,sha256,sha512) |
|
display jarm fingerprint hash |
|
display response time |
|
display response body line count |
|
display response body word count |
|
display page title |
|
display first N characters of response body (default 100) |
|
display server name |
|
display technology in use based on wappalyzer dataset |
|
display http request method |
|
display server using websocket |
|
display host ip |
|
display host cname |
|
display host asn information |
|
display cdn/waf in use (default true) |
|
display probe status |
httpx Headless Options
COMMAND | DESCRIPTION |
---|---|
|
enable saving screenshot of the page using headless browser |
|
enable using local installed chrome for screenshot |
|
enable excluding screenshot bytes from json output |
|
enable excluding headless header from json output |
httpx Match in Response
Allows httpx to match something in the server response header / body / http response code or url etc.
COMMAND | DESCRIPTION |
---|---|
|
match response with specified status code (-mc 200,302) |
|
match response with specified content length (-ml 100,102) |
|
match response body with specified line count (-mlc 423,532) |
|
match response body with specified word count (-mwc 43,55) |
|
match response with specified favicon hash (-mfc 1494302000) |
|
match response with specified string (-ms admin) |
|
match response with specified regex (-mr admin) |
|
match host with specified cdn provider (cloudfront, fastly, google, leaseweb, stackpath) |
|
match response with specified response time in seconds (-mrt '< 1') |
|
match response with dsl expression condition |
httpx Extract Regex Strings
Allows httpx to extract regex strings from the reponse.
COMMAND | DESCRIPTION |
---|---|
|
display response content with matched regex |
|
display response content matched by a pre-defined regex (mail, url, ipv4) |
httpx Filters
Filter by response code, length, server version, error page, url etc
COMMAND | DESCRIPTION |
---|---|
|
filter response with specified status code (-fc 403,401) |
|
filter response with ML based error page detection |
|
filter response with specified content length (-fl 23,33) |
|
filter response body with specified line count (-flc 423,532) |
|
filter response body with specified word count (-fwc 423,532) |
|
filter response with specified favicon hash (-ffc 1494302000) |
|
filter response with specified string (-fs admin) |
|
filter response with specified regex (-fe admin) |
|
filter host with specified cdn provider (cloudfront, fastly, google, leaseweb, stackpath) |
|
filter response with specified response time in seconds (-frt '> 1') |
|
filter response with dsl expression condition |
|
strips all tags in response. supported formats: html,xml (default html) |
httpx Rate Limiting
Limit the number of requests httpx can make per second / per minute and configure the number of threads.
COMMAND | DESCRIPTION |
---|---|
|
number of threads to use (default 50) |
|
maximum requests to send per second (default 150) |
|
maximum number of requests to send per minute |
Misc httpx Commands
COMMAND | DESCRIPTION |
---|---|
|
probe all the ips associated with same host |
|
ports to probe (nmap syntax: eg http:1,2-10,11,https:80) |
|
path or list of paths to probe (comma-separated, file) |
|
send http probes on the extracted TLS domains (dns_name) |
|
send http probes on the extracted CSP domains |
|
perform TLS(SSL) data grabbing |
|
probe and display server supporting HTTP1.1 pipeline |
|
probe and display server supporting HTTP2 |
|
probe and display server supporting VHOST |
|
list json output field keys name that support dsl matcher/filter |
httpx Update
How to update httpx + how to disable auto update.
COMMAND | DESCRIPTION |
---|---|
|
update httpx to latest version |
|
disable automatic httpx update check |
httpx File Output
httpx output file options.
COMMAND | DESCRIPTION |
---|---|
|
file to write output results |
|
filename to write output results in all formats |
|
store http response to output directory |
|
store http response to custom directory |
|
store output in csv format |
|
define output encoding |
|
store output in JSONL(ines) format |
|
include http response (headers) in JSON output (-json only) |
|
include http request/response (headers + body) in JSON output (-json only) |
|
include base64 encoded http request/response in JSON output (-json only) |
|
include redirect http chain in JSON output (-json only) |
|
include http redirect chain in responses (-sr only) |
|
include visual recon clusters (-ss and -sr only) |
httpx Config Options
COMMAND | DESCRIPTION |
---|---|
|
path to the httpx configuration file (default $HOME/.config/httpx/config.yaml) |
|
list of custom resolver (file or comma separated) |
|
allowed list of IP/CIDR's to process (file or comma separated) |
|
denied list of IP/CIDR's to process (file or comma separated) |
|
custom TLS SNI name |
|
enable Random User-Agent to use (default true) |
|
custom http headers to send with request |
|
http proxy to use (eg http://127.0.0.1:8080) |
|
send raw requests skipping golang normalization |
|
resume scan using resume.cfg |
|
follow http redirects |
|
max number of redirects to follow per host (default 10) |
|
follow redirects on the same host |
|
respect HSTS response headers for redirect requests |
|
get a list of vhosts as input |
|
request methods to probe, use 'all' to probe all HTTP methods |
|
post body to include in http request |
|
stream mode - start elaborating input targets without sorting |
|
disable dedupe input items (only used with stream mode) |
|
leave default http/https ports in host header (eg. http://host:80 - https://host:443) |
|
use ztls library with autofallback to standard one for tls13 |
|
avoid decoding body |
|
enable experimental client hello (ja3) tls randomization |
|
Disable Stdin processing |
httpx Debug Options
COMMAND | DESCRIPTION |
---|---|
|
run diagnostic check up |
|
display request/response content in cli |
|
display request content in cli |
|
display response content in cli |
|
display httpx version |
|
display scan statistic |
|
optional httpx memory profile dump file |
|
silent mode |
|
verbose mode |
|
number of seconds to wait between showing a statistics update (default: 5) |
|
disable colors in cli output |
Optimizations
Improve the performance of httpx tune the settings to the target environment.
COMMAND | DESCRIPTION |
---|---|
|
display both probed protocol (HTTPS and HTTP) |
|
probe with protocol scheme specified in input |
|
max error count per host before skipping remaining path/s (default 30) |
|
skip full port scans for CDN/WAF (only checks for 80,443) |
|
skip any hosts which have a private ip address |
|
number of retries |
|
timeout in seconds (default 10) |
|
duration between each http request (eg: 200ms, 1s) (default -1ns) |
|
max response size to save in bytes (default 2147483647) |
|
max response size to read in bytes (default 2147483647) |
Real World httpx Examples
DNSX to httpx
Run domains through dnsx to confirm resolution, then through httpx to confirm a 200 response from the webserver:
httpx Follow Redirects
For httpx to follow redirects use:
httpx Screenshot
Take a screenshot of targets that return 200 response:
Basic Recon
Conclusion
We hope this httpx cheat sheet was useful in covering the usage of this excellent HTTP toolkit by Project Discovery for performing recon against web servers and applications.