
HTTPX is a popular tool for bug bounty hunters that provides a fast and efficient way to scan web applications for security vulnerabilities. It is a lightweight and powerful HTTP client that allows testers to perform various types of scans and tests, including fuzzing, reconnaissance, and enumeration. In this article, we will discuss how to use HTTPX for bug bounty hunting and explore some of its features that make it an excellent tool for finding security vulnerabilities.
What is httpx?
HTTPX is an HTTP client developed by Project Discovery, a security company that provides a wide range of security testing tools and services. This tool is designed to be fast, efficient, and scalable, making it an excellent choice for scanning large web applications. It uses a multithreaded design to perform multiple requests simultaneously, enabling testers to scan thousands of URLs in a matter of minutes. And also is designed to be easy to use, with a simple command-line interface that requires minimal setup.
HTTPX is a fast and multi-purpose HTTP toolkit that allows running multiple probes using the retryablehttp library. It is designed to maintain result reliability with an increased number of threads.
Httpx Features
HTTPX comes with several features that make it an excellent tool for bug bounty hunting and also web aplication hacking. Here are some of the key features:
- Fast and efficient scanning: HTTPX uses a multithreaded design to perform multiple requests simultaneously, enabling testers to scan large web applications quickly and efficiently.
- HTTP/2 support: HTTPX supports the HTTP/2 protocol, which can be useful for testing modern web applications that make use of this protocol.
- Proxy support: This tool can be configured to use a proxy, which can help to bypass certain security measures and hide your IP address.
- Fuzzing and enumeration: HTTPX can perform various types of scans and tests, including fuzzing and enumeration, to help identify security vulnerabilities in web applications.
- Custom headers: allows testers to customize headers in their requests, which can help to bypass certain security measures and perform more advanced testing.
- Screenshot: feature that allows users to take screenshots of target URLs, pages, or endpoints along with the rendered DOM. This functionality enables the visual content discovery process.
Supported probes
Probes | Default check | Probes | Default check |
---|---|---|---|
URL | true | IP | true |
Title | true | CNAME | true |
Status Code | true | Raw HTTP | false |
Content Length | true | HTTP2 | false |
TLS Certificate | true | HTTP Pipeline | false |
CSP Header | true | Virtual host | false |
Line Count | true | Word Count | true |
Location Header | true | CDN | false |
Web Server | true | Paths | false |
Web Socket | true | Ports | false |
Response Time | true | Request Method | true |
Favicon Hash | false | Probe Status | false |
Body Hash | true | Header Hash | true |
Redirect chain | false | URL Scheme | true |
JARM Hash | false | ASN | false |
Httpx Installation
httpx equires go1.19 to install successfully. Run the following command to get the repo:
Running httpX
URL Probe
This will run the tool against all the hosts and subdomains in hosts.txt
and returns URLs running HTTP webserver.
File Input
This will run the tool with the -probe
flag against all the hosts in hosts.txt and return URLs with probed status.
CIDR Input
Tool Chain
File/Path Bruteforce
Screenshot
Latest addition to the project, the addition of the -screenshot
option in httpx, a powerful new feature that allows users to take screenshots of target URLs, pages, or endpoints along with the rendered DOM. This functionality enables the visual content discovery process, providing a comprehensive view of the target’s visual appearance.
Rendered DOM body is also included in json line output when -screenshot
option is used with -json
option.
Usage
To use the screenshot feature, simply add the -screenshot
flag to your command:
Domain, Subdomain, and Path Support The -screenshot
option is versatile and can be used to capture screenshots for domains, subdomains, and even specific paths when used in conjunction with the -path
option:
Using with other tools: