HTTPX Toolkit Cheat Sheet¶
Overview¶
HTTPX es un kit de herramientas HTTP rápido y multipropósito desarrollado por Project Discovery que permite ejecutar múltiples sondas utilizando la biblioteca de http retryable. Está diseñado para mantener la fiabilidad del resultado con hilos aumentados y está optimizado para el escaneo a gran escala. HTTPX se puede utilizar para ejecutar múltiples sondas en una lista de URLs o hosts, lo que permite la digitalización y probización rápida del servidor web.
Lo que distingue HTTPX de otras herramientas HTTP es su versatilidad y velocidad. Puede procesar miles de anfitriones en minutos mientras proporciona información valiosa sobre cada objetivo, incluyendo códigos de estado, títulos, tipos de contenido, tecnologías de servidor web, y más. HTTPX se utiliza comúnmente en las fases de reconocimiento de las evaluaciones de seguridad y la caza de botín para identificar rápidamente objetivos interesantes para la investigación posterior.
HTTPX admite varios formatos de entrada y se puede integrar fácilmente con otras herramientas en un oleoducto, lo que lo convierte en un componente esencial en muchos flujos de trabajo de pruebas de seguridad. Su capacidad de filtrar los resultados basado en diversos criterios ayuda a los profesionales de la seguridad a centrarse en los objetivos más relevantes.
Instalación¶
Usando Go¶
# Install using Go (requires Go 1.20 or later)
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
# Verify installation
httpx -version
Usando Docker¶
# Pull the latest Docker image
docker pull projectdiscovery/httpx:latest
# Run HTTPX using Docker
docker run -it projectdiscovery/httpx:latest -h
Usando Homebrew (macOS)¶
Usando PDTM (Project Discovery Tools Manager)¶
# Install PDTM first if not already installed
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest
# Install HTTPX using PDTM
pdtm -i httpx
# Verify installation
httpx -version
On Kali Linux¶
Uso básico¶
Probing URLs and Hosts¶
# Probe a single URL
httpx -u https://example.com
# Probe multiple URLs
httpx -u https://example.com,https://projectdiscovery.io
# Probe from a list of URLs/hosts
httpx -l hosts.txt
# Probe from STDIN
cat hosts.txt|httpx
Output Options¶
# Save results to a file
httpx -l hosts.txt -o results.txt
# Output in JSON format
httpx -l hosts.txt -json -o results.json
# Output in CSV format
httpx -l hosts.txt -csv -o results.csv
# Silent mode (only URLs)
httpx -l hosts.txt -silent
Filtro básico¶
# Filter by status code
httpx -l hosts.txt -status-code 200
# Filter by content length
httpx -l hosts.txt -content-length 100
# Match specific title
httpx -l hosts.txt -title "Dashboard"
# Match specific technology
httpx -l hosts.txt -tech wordpress
Advanced Usage¶
Port Scanning¶
# Scan default ports (80, 443)
httpx -l hosts.txt
# Scan specific ports
httpx -l hosts.txt -ports 80,443,8080,8443
# Scan top 100 ports
httpx -l hosts.txt -ports top-100
# Scan all ports
httpx -l hosts.txt -ports all
Path Probing¶
# Probe specific paths
httpx -l hosts.txt -path /api/v1,/admin,/login
# Probe from a file containing paths
httpx -l hosts.txt -path-file paths.txt
# Automatically add trailing slash
httpx -l hosts.txt -path /api -add-slash
Protocol Options¶
# Force HTTPS
httpx -l hosts.txt -https
# Probe both HTTP and HTTPS
httpx -l hosts.txt -probe
# Skip HTTPS verification
httpx -l hosts.txt -no-verify
Request Customization¶
# Set custom headers
httpx -l hosts.txt -H "User-Agent: Mozilla/5.0" -H "Cookie: session=123456"
# Set HTTP method
httpx -l hosts.txt -method POST
# Set request body
httpx -l hosts.txt -method POST -body "username=admin&password=admin"
# Set content type
httpx -l hosts.txt -method POST -H "Content-Type: application/json" -body '\\\\{"username":"admin","password":"admin"\\\\}'
Response Filtering¶
# Match response containing specific string
httpx -l hosts.txt -match-string "admin"
# Match response using regex
httpx -l hosts.txt -match-regex "admin.*panel"
# Filter response not containing string
httpx -l hosts.txt -filter-string "not found"
# Filter response using regex
httpx -l hosts.txt -filter-regex "error|not found"
Captura de pantalla¶
# Capture screenshots
httpx -l hosts.txt -screenshot
# Specify screenshot output directory
httpx -l hosts.txt -screenshot -screenshot-output screenshots/
# Set screenshot timeout
httpx -l hosts.txt -screenshot -screenshot-timeout 20
Detection de Tecnología¶
# Detect web technologies
httpx -l hosts.txt -tech-detect
# Output only specific technologies
httpx -l hosts.txt -tech-detect -match-tech wordpress,nginx
Performance Optimization¶
Concurrencia y limitación de tarifas¶
# Set concurrency (default: 50)
httpx -l hosts.txt -concurrency 100
# Set rate limit
httpx -l hosts.txt -rate-limit 200
# Set request timeout
httpx -l hosts.txt -timeout 10
Retry and Delay Options¶
# Set maximum retries
httpx -l hosts.txt -retries 3
# Set delay between requests
httpx -l hosts.txt -delay 2s
# Set random delay
httpx -l hosts.txt -random-agent
Optimización para grandes escáneres
# Use stream mode for large inputs
httpx -l large-hosts.txt -stream
# Skip default ports probing
httpx -l hosts.txt -no-default-ports
# Skip failed host probes
httpx -l hosts.txt -skip-host-error
Integración con otras herramientas¶
Pipeline with Subfinder¶
# Find subdomains and probe them
subfinder -d example.com|httpx
# Find subdomains, probe them, and check for specific paths
subfinder -d example.com|httpx -path /api,/admin -status-code 200
Pipeline with Nuclei¶
# Find active hosts and scan for vulnerabilities
httpx -l hosts.txt -silent|nuclei -t cves/
# Find hosts with specific tech and scan for related vulnerabilities
httpx -l hosts.txt -tech-detect -match-tech wordpress -silent|nuclei -t wordpress/
Pipeline with Naabu¶
# Scan ports and probe HTTP services
naabu -host example.com -top-ports 1000 -silent|httpx
# Scan ports, probe HTTP services, and check for vulnerabilities
naabu -host example.com -top-ports 1000 -silent|httpx -silent|nuclei -t cves/
Output Customization¶
Custom Output Format¶
# Define custom output format
httpx -l hosts.txt -o results.txt -silent -format "\\\\{\\\\{.StatusCode\\\\}\\\\} \\\\{\\\\{.URL\\\\}\\\\} \\\\{\\\\{.Title\\\\}\\\\}"
# Include specific fields in output
httpx -l hosts.txt -include-response-time -include-chain -include-cdn
Response Extraction¶
# Extract title
httpx -l hosts.txt -title
# Extract favicon hash
httpx -l hosts.txt -favicon
# Extract response headers
httpx -l hosts.txt -response-header
# Extract TLS information
httpx -l hosts.txt -tls-grab
¶
# Store response bodies
httpx -l hosts.txt -store-response
# Specify response storage directory
httpx -l hosts.txt -store-response -store-response-dir responses/
# Store chain responses
httpx -l hosts.txt -store-chain
Filtro avanzado¶
Código de Estado Filtración¶
# Match specific status codes
httpx -l hosts.txt -status-code 200,301,302
# Filter out specific status codes
httpx -l hosts.txt -exclude-status-code 404,403
Content Filtering¶
# Filter by content length
httpx -l hosts.txt -content-length 100
# Match content length range
httpx -l hosts.txt -content-length-lt 1000 -content-length-gt 100
# Filter by content type
httpx -l hosts.txt -content-type "text/html"
Header Filtering¶
# Match specific header
httpx -l hosts.txt -match-header "Server: nginx"
# Filter by header presence
httpx -l hosts.txt -include-headers "Server,Content-Type"
Proxy and Network Options¶
# Use HTTP proxy
httpx -l hosts.txt -proxy http://127.0.0.1:8080
# Use SOCKS5 proxy
httpx -l hosts.txt -proxy socks5://127.0.0.1:1080
# Follow redirects
httpx -l hosts.txt -follow-redirects
# Follow redirects with max depth
httpx -l hosts.txt -follow-redirects -follow-max-redirects 5
# Follow host redirects
httpx -l hosts.txt -follow-host-redirects
Miscelánea Características¶
CRLF Injection Detection¶
CORS Misconfiguration Check¶
IP Geolocation¶
Web Cache Detection¶
Virtual Host Discovery¶
# Probe for virtual hosts
httpx -l hosts.txt -vhost
# Specify vhost wordlist
httpx -l hosts.txt -vhost -vhost-wordlist vhosts.txt
Troubleshooting¶
Common Issues¶
- Tiempos de Connección
# Increase timeout httpx -l hosts.txt -timeout 15 # Increase retries httpx -l hosts.txt -retries 3 ``` 2. ** Limitación de destino por objetivo* * ```bash # Reduce concurrency httpx -l hosts.txt -concurrency 10 # Add delay between requests httpx -l hosts.txt -delay 2s ``` 3. * Problemas de memoria* ```bash # Use stream mode for large inputs httpx -l large-hosts.txt -stream # Reduce concurrency httpx -l hosts.txt -concurrency 25 ``` 4. ** Errores TLS/SSL** ```bash # Skip TLS verification httpx -l hosts.txt -no-verify ``` ### Debugging ```bash # Enable verbose mode httpx -l hosts.txt -verbose # Show request and response details httpx -l hosts.txt -debug # Show only failed requests httpx -l hosts.txt -debug-req -debug-resp -silent
Configuración¶
Archivo de configuración¶
HTTPX utiliza un archivo de configuración ubicado en $HOME/.config/httpx/config.yaml. Puede personalizar varios ajustes en este archivo:
# Example configuration file
concurrency: 50
timeout: 5
retries: 2
rate-limit: 150
verbose: false
silent: false
output: httpx_output.txt
Environment Variables¶
# Set HTTPX configuration via environment variables
export HTTPX_CONCURRENCY=50
export HTTPX_TIMEOUT=5
export HTTPX_RETRIES=2
export HTTPX_RATE_LIMIT=150
Reference¶
Command Line Options¶
| Flag | Description |
|---|---|
| INLINE_CODE_41 | Target URL/host to probe |
| INLINE_CODE_42 | File containing list of URLs/hosts to probe |
| INLINE_CODE_43 | File to write output to |
| INLINE_CODE_44 | Write output in JSON format |
| INLINE_CODE_45 | Write output in CSV format |
| INLINE_CODE_46 | Show only URLs/hosts in output |
| INLINE_CODE_47 | Show verbose output |
| INLINE_CODE_48 | Show request/response details |
| INLINE_CODE_49 | Show HTTPX version |
| INLINE_CODE_50 | Ports to probe (default: 80,443) |
| INLINE_CODE_51 | Path(s) to probe |
| INLINE_CODE_52 | HTTP method to use |
| INLINE_CODE_53 | Filter by status code |
| INLINE_CODE_54 | Filter by title |
| INLINE_CODE_55 | Filter by content length |
| INLINE_CODE_56 | Detect web technologies |
| INLINE_CODE_57 | Follow HTTP redirects |
| INLINE_CODE_58 | Skip TLS verification |
| INLINE_CODE_59 | Custom header to add to all requests |
| INLINE_CODE_60 | Match response containing string |
| INLINE_CODE_61 | Match response using regex |
| INLINE_CODE_62 | Filter response not containing string |
| INLINE_CODE_63 | Filter response not matching regex |
| INLINE_CODE_64 | Take screenshots of websites |
| INLINE_CODE_65 | Number of concurrent requests |
| INLINE_CODE_66 | Maximum number of requests per second |
| INLINE_CODE_67 | Timeout in seconds for HTTP requests |
| INLINE_CODE_68 | Number of retries for failed requests |
| INLINE_CODE_69 | Delay between requests |
| INLINE_CODE_70 | HTTP/SOCKS5 proxy to use |
Output Fields¶
| Field | Description |
|---|---|
| INLINE_CODE_71 | Target URL |
| INLINE_CODE_72 | Original input |
| INLINE_CODE_73 | URL scheme (http/https) |
| INLINE_CODE_74 | Target host |
| INLINE_CODE_75 | Target port |
| INLINE_CODE_76 | URL path |
| INLINE_CODE_77 | HTTP status code |
| INLINE_CODE_78 | Page title |
| INLINE_CODE_79 | Content type header |
| INLINE_CODE_80 | Content length |
| INLINE_CODE_81 | Response time in seconds |
| INLINE_CODE_82 | Detected technologies |
| INLINE_CODE_83 | Server header |
| INLINE_CODE_84 | Detected web server |
| INLINE_CODE_85 | Target IP address |
| INLINE_CODE_86 | CDN information |
| INLINE_CODE_87 | Favicon hash |
| INLINE_CODE_88 | TLS information |
| INLINE_CODE_89 | Redirect location |
| INLINE_CODE_90 | Virtual host information |
Resources¶
- [Documentación Oficial](URL_91__
- [Repositorio GitHub](URL_92__
- [Discord de descubrimiento del producto](URL_93_
-...
*Esta hoja de trampolín proporciona una referencia completa para el uso de HTTPX, desde el probing básico hasta el filtrado avanzado e integración con otras herramientas. Para la información más actualizada, consulte siempre la documentación oficial. *