httpx – Fast And Multi-Purpose HTTP Toolkit

superior_hosting_service

httpx run
httpx-run

httpx is a fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.

Resources

Features

  • Simple and modular code base making it easy to contribute.
  • Fast And fully configurable flags to probe mutiple elements.
  • Supports multiple HTTP based probings.
  • Smart auto fallback from https to http as default.
  • Supports hosts, URLs and CIDR as input.
  • Handles edge cases doing retries, backoffs etc for handling WAFs.

Supported probes:-

ProbesDefault checkProbesDefault check
URLtrueIPtrue
TitletrueCNAMEtrue
Status CodetrueRaw HTTPfalse
Content LengthtrueHTTP2false
TLS CertificatetrueHTTP 1.1 Pipelinefalse
CSP HeadertrueVirtual hostfalse
Location HeadertrueCDNfalse
Web ServertruePathfalse
Web SockettruePortsfalse
Response TimetrueRequest methodfalse

Installation Instructions

From Binary

The installation is easy. You can download the pre-built binaries for your platform from the Releases page. Extract them using tar, move it to your $PATHand you’re ready to go.

Download latest binary from https://github.com/projectdiscovery/httpx/releases

▶ tar -xvf httpx-linux-amd64.tar
▶ mv httpx-linux-amd64 /usr/local/bin/httpx
▶ httpx -h

From Source

httpx requires go1.14+ to install successfully. Run the following command to get the repo –

▶ GO111MODULE=on go get -v github.com/projectdiscovery/httpx/cmd/httpx

From Github

▶ git clone https://github.com/projectdiscovery/httpx.git; cd httpx/cmd/httpx; go build; mv httpx /usr/local/bin/; httpx -version

Usage

httpx -h

This will display help for the tool. Here are all the switches it supports.

FlagDescriptionExample
HCustom Header inputhttpx -H ‘x-bug-bounty: hacker’
follow-redirectsFollow URL redirects (default false)httpx -follow-redirects
follow-host-redirectsFollow URL redirects only on same host(default false)httpx -follow-host-redirects
http-proxyURL of the proxy serverhttpx -http-proxy hxxp://proxy-host:80
lFile containing HOST/URLs/CIDR to processhttpx -l hosts.txt
no-colorDisable colors in the output.httpx -no-color
oFile to save output result (optional)httpx -o output.txt
jsonPrints all the probes in JSON format (default false)httpx -json
vhostProbes to detect vhost from list of subdomainshttpx -vhost
threadsNumber of threads (default 50)httpx -threads 100
http2HTTP2 probinghttpx -http2
pipelineHTTP1.1 Pipeline probinghttpx -pipeline
portsPorts ranges to probe (nmap syntax: eg 1,2-10,11)httpx -ports 80,443,100-200
titlePrints title of page if availablehttpx -title
pathRequest path/filehttpx -path /api
content-lengthPrints content length in the outputhttpx -content-length
mlMatch content length in the outputhttpx -content-length -ml 125
flFilter content length in the outputhttpx -content-length -fl 0,43
status-codePrints status code in the outputhttpx -status-code
mcMatch status code in the outputhttpx -status-code -mc 200,302
fcFilter status code in the outputhttpx -status-code -fc 404,500
tls-probeSend HTTP probes on the extracted TLS domainshttpx -tls-probe
content-typePrints content-typehttpx -content-type
locationPrints location headerhttpx -location
csp-probeSend HTTP probes on the extracted CSP domainshttpx -csp-probe
web-serverPrints running web sever if availablehttpx -web-server
srStore responses to file (default false)httpx -sr
srdDirectory to store response (optional)httpx -srd httpx-output
unsafeSend raw requests skipping golang normalizationhttpx -unsafe
requestFile containing raw request to processhttpx -request
retriesNumber of retrieshttpx -retries
silentPrints only results in the outputhttpx -silent
statsPrints statistic every 5 secondshttpx -stats
timeoutTimeout in seconds (default 5)httpx -timeout 10
verboseVerbose Modehttpx -verbose
versionPrints current version of the httpxhttpx -version
xRequest Method (default ‘GET’)httpx -x HEAD
methodOutput requested methodhttpx -method
response-timeOutput the response timehttpx -response-time
response-in-jsonInclude response in stdout (only works with -json)httpx -response-in-json
websocketPrints if a websocket is exposedhttpx -websocket
ipPrints the host IPhttpx -ip
cnamePrints the cname record if availablehttpx -cname
cdnCheck if domain’s ip belongs to known CDNhttpx -cdn
filter-stringFilter results based on filtered stringhttpx -filter-string XXX
match-stringFilter results based on matched stringhttpx -match-string XXX
filter-regexFilter results based on filtered regexhttpx -filter-regex XXX
match-regexFilter results based on matched regexhttpx -match-regex XXX

Running httpx with stdin

This will run the tool against all the hosts and subdomains in hosts.txt and returns URLs running HTTP webserver.

▶ cat hosts.txt | httpx 

    __    __  __       _  __
   / /_  / /_/ /_____ | |/ /
  / __ \/ __/ __/ __ \|   / 
 / / / / /_/ /_/ /_/ /   |  
/_/ /_/\__/\__/ .___/_/|_|   v1.0  
             /_/            

		projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.

https://mta-sts.managed.hackerone.com
https://mta-sts.hackerone.com
https://mta-sts.forwarding.hackerone.com
https://docs.hackerone.com
https://www.hackerone.com
https://resources.hackerone.com
https://api.hackerone.com
https://support.hackerone.com

Running httpx with file input

This will run the tool against all the hosts and subdomains in hosts.txt and returns URLs running HTTP webserver.

▶ httpx -l hosts.txt -silent

https://docs.hackerone.com
https://mta-sts.hackerone.com
https://mta-sts.managed.hackerone.com
https://mta-sts.forwarding.hackerone.com
https://www.hackerone.com
https://resources.hackerone.com
https://api.hackerone.com
https://support.hackerone.com

Running httpx with CIDR input

▶ echo 173.0.84.0/24 | httpx -silent

https://173.0.84.29
https://173.0.84.43
https://173.0.84.31
https://173.0.84.44
https://173.0.84.12
https://173.0.84.4
https://173.0.84.36
https://173.0.84.45
https://173.0.84.14
https://173.0.84.25
https://173.0.84.46
https://173.0.84.24
https://173.0.84.32
https://173.0.84.9
https://173.0.84.13
https://173.0.84.6
https://173.0.84.16
https://173.0.84.34

Running httpx with subfinder

▶ subfinder -d hackerone.com -silent | httpx -title -content-length -status-code -silent

https://mta-sts.forwarding.hackerone.com [404] [9339] [Page not found · GitHub Pages]
https://mta-sts.hackerone.com [404] [9339] [Page not found · GitHub Pages]
https://mta-sts.managed.hackerone.com [404] [9339] [Page not found · GitHub Pages]
https://docs.hackerone.com [200] [65444] [HackerOne Platform Documentation]
https://www.hackerone.com [200] [54166] [Bug Bounty - Hacker Powered Security Testing | HackerOne]
https://support.hackerone.com [301] [489] []
https://api.hackerone.com [200] [7791] [HackerOne API]
https://hackerone.com [301] [92] []
https://resources.hackerone.com [301] [0] []

Notes

  • As default, httpx checks for HTTPS probe and fall-back to HTTP only if HTTPS is not reachable.
  • For printing both HTTP/HTTPS results, no-fallback flag can be used.
  • Custom scheme for ports can be defined, for example -ports http:443,http:80,https:8443
  • vhosthttp2pipelineportscsp-probetls-probe and path are unique flag with different probes.
  • Unique flags should be used for specific use cases instead of running them as default with other flags.
  • When using json flag, all the information (default probes) included in the JSON output.

Thanks

httpx is made with black_heart by the projectdiscovery team. Community contributions have made the project what it is. See the Thanks.md file for more details. Do also check out these similar awesome projects that may fit in your workflow:

Probing feature is inspired by @tomnomnom/httprobe work