Features • Installation • Usage • Running httpx • Notes • Join Discord
httpx is a fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.
- Simple and modular code base making it easy to contribute.
- Fast And fully configurable flags to probe mutiple elements.
- Supports multiple HTTP based probings.
- Smart auto fallback from https to http as default.
- Supports hosts, URLs and CIDR as input.
- Handles edge cases doing retries, backoffs etc for handling WAFs.
| Probes | Default check | Probes | Default check |
|---|---|---|---|
| URL | true | IP | true |
| Title | true | CNAME | true |
| Status Code | true | Raw HTTP | false |
| Content Length | true | HTTP2 | false |
| TLS Certificate | true | HTTP 1.1 Pipeline | false |
| CSP Header | true | Virtual host | false |
| Location Header | true | CDN | false |
| Web Server | true | Path | false |
| Web Socket | true | Ports | false |
| Response Time | true | Request method | false |
httpx requires go1.14+ to install successfully. Run the following command to get the repo -
GO111MODULE=on go get -v github.com/projectdiscovery/httpx/cmd/httpxhttpx -hThis will display help for the tool. Here are all the switches it supports.
👉 httpx help menu 👈
Usage of ./httpx: -H value Custom Header -allow value Allowlist ip/cidr -body string Request Body -cdn Check if domain's ip belongs to known CDN (akamai, cloudflare, ..) -cname Output first cname -content-length Extracts content length -content-type Extracts content-type -csp-probe Send HTTP probes on the extracted CSP domains -debug Debug mode -deny value Denylist ip/cidr -extract-regex string Extract Regex -fc string Filter status code -filter-regex string Filter Regex -filter-string string Filter String -fl string Filter content length -follow-host-redirects Only follow redirects on the same host -follow-redirects Follow Redirects -http-proxy string HTTP Proxy, eg http://127.0.0.1:8080 -http2 HTTP2 probe -include-chain Show Raw HTTP Chain In Output (-json only) -include-response Show Raw HTTP Response In Output (-json only) -ip Output target ip -json JSON Output -l string File containing domains -location Extracts location header -match-regex string Match Regex -match-string string Match string -max-response-body-size int Maximum response body size (default 2147483647) -mc string Match status code -method Output method -ml string Match content length -no-color No Color -no-fallback If HTTPS on port 443 is successful on default configuration, probes also port 80 for HTTP -o string File to write output to (optional) -path string Request path/file (example '/api') -paths string Command separated paths or file containing one path per line (example '/api/v1,/apiv2') -pipeline HTTP1.1 Pipeline -ports value ports range (nmap syntax: eg 1,2-10,11) -random-agent Use randomly selected HTTP User-Agent header value -request string File containing raw request -response-in-json Show Raw HTTP Response In Output (-json only) (deprecated) -response-time Output the response time -retries int Number of retries -silent Silent mode -sr Save response to file (default 'output') -srd string Save response directory (default "output") -stats Enable statistic on keypress (terminal may become unresponsive till the end) -status-code Extracts status code -store-chain Save chain to file (default 'output') -tech-detect Perform wappalyzer based technology detection -threads int Number of threads (default 50) -timeout int Timeout in seconds (default 5) -title Extracts title -tls-grab Perform TLS data grabbing -tls-probe Send HTTP probes on the extracted TLS domains -unsafe Send raw requests skipping golang normalization -verbose Verbose Mode -version Show version of httpx -vhost Check for VHOSTs -vhost-input Get a list of vhosts as input -web-server Extracts server header -websocket Prints out if the server exposes a websocket -x string Request Methods, use ALL to check all verbs () This will run the tool against all the hosts and subdomains in hosts.txt and returns URLs running HTTP webserver.
▶ cat hosts.txt | httpx __ __ __ _ __ / /_ / /_/ /_____ | |/ / / __ \/ __/ __/ __ \| / / / / / /_/ /_/ /_/ / | /_/ /_/\__/\__/ .___/_/|_| v1.0 /_/ projectdiscovery.io [WRN] Use with caution. You are responsible for your actions [WRN] Developers assume no liability and are not responsible for any misuse or damage. https://mta-sts.managed.hackerone.com https://mta-sts.hackerone.com https://mta-sts.forwarding.hackerone.com https://docs.hackerone.com https://www.hackerone.com https://resources.hackerone.com https://api.hackerone.com https://support.hackerone.comThis will run the tool against all the hosts and subdomains in hosts.txt and returns URLs running HTTP webserver.
▶ httpx -l hosts.txt -silent https://docs.hackerone.com https://mta-sts.hackerone.com https://mta-sts.managed.hackerone.com https://mta-sts.forwarding.hackerone.com https://www.hackerone.com https://resources.hackerone.com https://api.hackerone.com https://support.hackerone.com▶ echo 173.0.84.0/24 | httpx -silent https://173.0.84.29 https://173.0.84.43 https://173.0.84.31 https://173.0.84.44 https://173.0.84.12 https://173.0.84.4 https://173.0.84.36 https://173.0.84.45 https://173.0.84.14 https://173.0.84.25 https://173.0.84.46 https://173.0.84.24 https://173.0.84.32 https://173.0.84.9 https://173.0.84.13 https://173.0.84.6 https://173.0.84.16 https://173.0.84.34▶ subfinder -d hackerone.com | httpx -title -tech-detect -status-code -follow-redirects __ __ __ _ __ / /_ / /_/ /_____ | |/ / / __ \/ __/ __/ __ \| / / / / / /_/ /_/ /_/ / | /_/ /_/\__/\__/ .___/_/|_| /_/ v1.0.6 projectdiscovery.io Use with caution. You are responsible for your actions Developers assume no liability and are not responsible for any misuse or damage. https://mta-sts.managed.hackerone.com [404] [Page not found · GitHub Pages] [Varnish,GitHub Pages,Ruby on Rails] https://mta-sts.hackerone.com [404] [Page not found · GitHub Pages] [Varnish,GitHub Pages,Ruby on Rails] https://mta-sts.forwarding.hackerone.com [404] [Page not found · GitHub Pages] [GitHub Pages,Ruby on Rails,Varnish] https://docs.hackerone.com [200] [HackerOne Platform Documentation] [Ruby on Rails,jsDelivr,Gatsby,React,webpack,Varnish,GitHub Pages] https://support.hackerone.com [301,302,301,200] [HackerOne] [Cloudflare,Ruby on Rails,Ruby] https://resources.hackerone.com [301,301,404] [Sorry, no Folders found.]- As default, httpx checks for
HTTPSprobe and fall-back toHTTPonly ifHTTPSis not reachable. - For printing both HTTP/HTTPS results,
no-fallbackflag can be used. - Custom scheme for ports can be defined, for example
-ports http:443,http:80,https:8443 vhost,http2,pipeline,ports,csp-probe,tls-probeandpathare unique flag with different probes.- Unique flags should be used for specific use cases instead of running them as default with other flags.
- When using
jsonflag, all the information (default probes) included in the JSON output.
httpx is made with 🖤 by the projectdiscovery team. Community contributions have made the project what it is. See the Thanks.md file for more details. Do also check out these similar awesome projects that may fit in your workflow:
Probing feature is inspired by @tomnomnom/httprobe work ❤️