Files
strix/strix/skills/tooling/httpx.md
T
0xallam 8ed5311b8e Surface the previously-undocumented sandbox tools and unbreak two of them
The image ships 15 tools (jwt_tool, interactsh-client, arjun, dirsearch,
gospider, wafw00f, retire, eslint, jshint, js-beautify, JS-Snooper,
jsniper.sh, vulnx, ncat, uv) that the always-loaded skills never name
with usage guidance — agents could discover them via the environment
catalog but had no when/how. Add concise mentions in the natural home
for each: jwt_tool in the JWT skill, interactsh-client in the OAST
sections of SSRF/XXE/RCE, arjun in IDOR recon, dirsearch as the broad
alternate in the ffuf skill, gospider + the JS scrapers in katana,
wafw00f next to httpx, retire/eslint/jshint/js-beautify as a new
JavaScript-Side Coverage block in the SAST playbook, uv in python,
vulnx in the deep scan-mode CVE bullet, ncat in a new RCE Tooling
block.

Audit also turned up three real breakages along the way:

- jwt_tool's shebang resolves to /usr/bin/python3 but its dependencies
  live in /app/.venv, so every invocation died with
  ModuleNotFoundError: ratelimit. Replace the bare symlink with a
  wrapper that execs /app/.venv/bin/python against the real script.
- dirsearch's pipx venv ended up with setuptools 82, which dropped
  pkg_resources — startup failed before parsing args. Pin the inject
  to setuptools<81.
- ESLint's --no-eslintrc flag was removed in v9; the surviving
  --no-config-lookup covers it. Drop the dead flag from the SAST
  command block.

Also corrected the JS-Snooper / jsniper.sh entry in katana.md — both
take a bare domain and run their own JS discovery internally, not the
JS URLs Katana already harvested.
2026-05-25 22:02:15 -07:00

3.4 KiB

name, description
name description
httpx ProjectDiscovery httpx probing syntax, exact probe flags, and automation-safe output patterns.

httpx CLI Playbook

Official docs:

Canonical syntax: httpx [flags]

High-signal flags:

  • -u, -target <url> single target
  • -l, -list <file> target list
  • -nf, -no-fallback probe both HTTP and HTTPS
  • -nfs, -no-fallback-scheme do not auto-switch schemes
  • -sc status code
  • -title page title
  • -server, -web-server server header
  • -td, -tech-detect technology detection
  • -fr, -follow-redirects follow redirects
  • -mc <codes> / -fc <codes> match or filter status codes
  • -path <path_or_file> probe specific paths
  • -p, -ports <ports> probe custom ports
  • -proxy, -http-proxy <url> proxy target requests
  • -tlsi, -tls-impersonate experimental TLS impersonation
  • -j, -json JSONL output
  • -sr, -store-response store request/response artifacts
  • -srd, -store-response-dir <dir> custom directory for stored artifacts
  • -silent compact output
  • -rl <n> requests/second cap
  • -t <n> threads
  • -timeout <seconds> request timeout
  • -retries <n> retry attempts
  • -o <file> output file

Agent-safe baseline for automation: httpx -l hosts.txt -sc -title -server -td -fr -timeout 10 -retries 1 -rl 50 -t 25 -silent -j -o httpx.jsonl

Common patterns:

  • Quick live+fingerprint check: httpx -l hosts.txt -sc -title -server -td -silent -o httpx.txt
  • Probe known admin paths: httpx -l hosts.txt -path /,/login,/admin -sc -title -silent -j -o httpx_paths.jsonl
  • Probe both schemes explicitly: httpx -l hosts.txt -nf -sc -title -silent
  • Vhost detection pass: httpx -l hosts.txt -vhost -sc -title -silent -j -o httpx_vhost.jsonl
  • Proxy-instrumented probing: httpx -l hosts.txt -sc -title -proxy http://127.0.0.1:48080 -silent -j -o httpx_proxy.jsonl
  • Response-storage pass for downstream content parsing: httpx -l hosts.txt -fr -sr -srd recon/httpx_store -sc -title -server -cl -ct -location -probe -silent

Critical correctness rules:

  • For machine parsing, prefer -j -o <file>.
  • Keep -rl and -t explicit for reproducible throughput.
  • Use -nf when you need dual-scheme probing from host-only input.
  • When using -path or -ports, keep scope tight to avoid accidental scan inflation.
  • Use -sr -srd <dir> when later steps need raw response artifacts (JS/route extraction, grepping, replay).

Usage rules:

  • Use -silent for pipeline-friendly output.
  • Use -mc/-fc when downstream steps depend on specific response classes.
  • Prefer -proxy flag over global proxy env vars when only httpx traffic should be proxied.
  • Do not use -h/--help for routine runs unless absolutely necessary.

Failure recovery:

  • If too many timeouts occur, reduce -rl/-t and/or increase -timeout.
  • If output is noisy, add -fc filters or -fd duplicate filtering.
  • If HTTPS-only probing misses HTTP services, rerun with -nf (and avoid -nfs).

If uncertain, query web_search with: site:docs.projectdiscovery.io httpx <flag> usage

Companion: wafw00f <url> fingerprints the WAF/CDN in front of a target (Cloudflare, Akamai, AWS WAF, etc.). Run it once after httpx confirms the host is live — the WAF identity decides whether to throttle fuzzing, swap to evasion payload sets, or assume blocking and route differently.