Httpx cheatsheet

Basic usage

Scan host

httpx -u example.com

Scan hosts from input file

httpx -l hosts.txt

Scan targets from other program output

cat hosts.txt | httpx

Tool chain

subfinder -d example.com -silent | httpx -title -tech-detect -status-code

Testing multiple ports

Test common HTTP ports

httpx -u example.com -ports 80,443,8009,8080,8081,8090,8180,9443,9200

Path bruteforce

Test different paths or files

httpx -u example.com -sc -path "/,/path1,/path2,/path3"

Probes

Example usage - different probes, follow redirects and display output in JSON format

httpx -status-code -content-type -content-length -location \
  -title -web-server -tech-detect -ip -cname -word-count -line-count -response-time \
  -cdn -hash sha256 -include-response -silent -stats -follow-host-redirects -max-redirects 2

Example usage - save responses, filter HTTP redirects and error pages

httpx -silent -l urls.txt -j -o httpx.json -sr \
  -sc -title -ct -cl -bp -server -td -ip -cname -word-count -hash sha256 -fep -fc 301 \
  -tlsi -random-agent -stats -t 5 -rl 10 -timeout 5 -maxhr 3

Interesting probes

  • -sc, -status-code display response status-code
  • -title display page title
  • -bp display body preview
  • -server, -web-server display server name
  • -ip display host ip
  • -cname display host cname
  • -cl, -content-length display response content-length
  • -ct, -content-type display response content-type
  • -location display response redirect location
  • -hash string display response body hash (supported: md5,mmh3,simhash,sha1,sha256,sha512)
  • -rt, -response-time display response time
  • -lc, -line-count display response body line count
  • -wc, -word-count display response body word count
  • -td, -tech-detect display technology in use based on wappalyzer dataset (default true)
  • -method display http request method
  • -cdn display cdn/waf in use (default true)

Rate limits

Set limit - 10 threads and 50 rps

httpx -u example.com -t 10 -rate-limit 50

Rate limit options

  • -t int number of threads
  • -rl int maximum requests per second
  • -rlm int maximum number of requests per minute

Matchers

Match specific HTTP codes

cat hosts.txt | httpx -mc 200,302

Match responses with specific string

cat hosts.txt | httpx -ms admin

Match responses with regex

cat hosts.txt | httpx -mr 'admin*'

Filters

Filter responses with specific HTTP codes

httpx -l urls.txt -fc 404,403,401,400,500

Filter responses based on ML error page detection

 httpx -l urls.txt -sc -fep

Filter responses with specific text

httpx -l urls.txt -fs error

Filter responses based on regex

httpx -l urls.txt -fe '.*Error.*'

Extractors

Extract part of the response with regex

cat hosts.txt | httpx -er 'admin*'

Optimizations

Probe with protocol scheme supplied in the input (no fallback scheme)

httpx -l urls.txt -nfs

Set timeouts, max error count and retries

httpx -l urls.txt -timeout 5 -maxhr 3 -retries 1

Parameters:

  • -maxhr int max error count per host before skipping
  • -e string exclude host matching specified filter (‘cdn’, ‘private-ips’, cidr, ip, regex)
  • -retries int number of retries
  • -timeout int timeout in seconds (by default 10 seconds)
  • -delay value duration between each http request (eg: 200ms, 1s)

Output

Save output to the file

httpx -l urls.txt -o httpx.log

Print output in JSONL format

httpx -l urls.txt -j

Print stats during scan

httpx -l urls.txt -stats

Store responses

httpx -l urls.txt -sr

Screenshots

Create a screenshot of the web site

echo https://example.com | httpx -ss -st 5


Options

  • -ss save screenshot of the page using headless browser
  • -st set timeout for screenshot (default 10 seconds)

Configuration file

Use custom configuration file

httpx -config httpx-config.yaml

Default configuration file: ~/.config/httpx/config.yaml

Example configuration file

status-code: true
content-length: true
content-type: true
location: true

line-count: true
word-count: true

title: true
body-preview: true
web-server: true
tech-detect: true
ip: true
cname: true

filter-code: 302,401,403
filter-error-page: true

threads: 10
rate-limit: 20

update: false
disable-update-check: true

store-response: true
store-response-dir: httpx-responses

json: true
include-response-header: true
include-response: true

random-agent: true
#header: Custom Global Headers

follow-redirects: false
follow-host-redirects: false

tls-impersonate: true
version: false
stats: true
silent: true
stats-interval: 5

max-host-error: 3
retries: 0
timeout: 5

Updates

Disable update checks

httpx -l targets.txt -duc

Update httpx

httpx -up

Processing JSONL results with jq

Select results with status_code == 200

cat httpx.json | jq 'select(.status_code == 200)'

Select results with Ruby in tech

cat httpx.json | jq 'select(.tech[] | contains("Ruby"))'

Select URL, tech where tech contains Ruby

cat httpx.json | jq 'select(.tech[] | contains("Ruby")) | .tech,.url' 2>/dev/null

The same for PHP

cat httpx.json | jq 'select(.tech[] | contains("PHP")) | .tech,.url' 2>/dev/null

Search results by title

cat httpx.json | jq 'select(.title | contains("Index of"))'

Search all results for Nginx (case-insensitive)

cat httpx.json | jq 'select(.tech[] | ascii_downcase| contains("nginx")) | .tech,.url' 2>/dev/null

Extract basic info about each request

cat httpx.json| jq '{url: .url, host: .host, method: .method, status_code: .status_code, content_type: .content_type, words: .words, webserver: .webserver, tech: .tech, hash: .hash}'

The same, but only for 200 responses

cat httpx-* |  jq 'select(.status_code == 200) | {url: .url, host: .host, method: .method, status_code: .status_code, content_type: .content_type, words: .words, webserver: .webserver, tech: .tech, hash: .hash}'

Select 200 status code and content type application/json

cat httpx.json| jq 'select((.status_code == 200) and (.content_type == "application/json"))'

References