8ed5311b8e
The image ships 15 tools (jwt_tool, interactsh-client, arjun, dirsearch, gospider, wafw00f, retire, eslint, jshint, js-beautify, JS-Snooper, jsniper.sh, vulnx, ncat, uv) that the always-loaded skills never name with usage guidance — agents could discover them via the environment catalog but had no when/how. Add concise mentions in the natural home for each: jwt_tool in the JWT skill, interactsh-client in the OAST sections of SSRF/XXE/RCE, arjun in IDOR recon, dirsearch as the broad alternate in the ffuf skill, gospider + the JS scrapers in katana, wafw00f next to httpx, retire/eslint/jshint/js-beautify as a new JavaScript-Side Coverage block in the SAST playbook, uv in python, vulnx in the deep scan-mode CVE bullet, ncat in a new RCE Tooling block. Audit also turned up three real breakages along the way: - jwt_tool's shebang resolves to /usr/bin/python3 but its dependencies live in /app/.venv, so every invocation died with ModuleNotFoundError: ratelimit. Replace the bare symlink with a wrapper that execs /app/.venv/bin/python against the real script. - dirsearch's pipx venv ended up with setuptools 82, which dropped pkg_resources — startup failed before parsing args. Pin the inject to setuptools<81. - ESLint's --no-eslintrc flag was removed in v9; the surviving --no-config-lookup covers it. Drop the dead flag from the SAST command block. Also corrected the JS-Snooper / jsniper.sh entry in katana.md — both take a bare domain and run their own JS discovery internally, not the JS URLs Katana already harvested.
3.4 KiB
3.4 KiB
name, description
| name | description |
|---|---|
| httpx | ProjectDiscovery httpx probing syntax, exact probe flags, and automation-safe output patterns. |
httpx CLI Playbook
Official docs:
- https://docs.projectdiscovery.io/opensource/httpx/usage
- https://docs.projectdiscovery.io/opensource/httpx/running
- https://github.com/projectdiscovery/httpx
Canonical syntax:
httpx [flags]
High-signal flags:
-u, -target <url>single target-l, -list <file>target list-nf, -no-fallbackprobe both HTTP and HTTPS-nfs, -no-fallback-schemedo not auto-switch schemes-scstatus code-titlepage title-server, -web-serverserver header-td, -tech-detecttechnology detection-fr, -follow-redirectsfollow redirects-mc <codes>/-fc <codes>match or filter status codes-path <path_or_file>probe specific paths-p, -ports <ports>probe custom ports-proxy, -http-proxy <url>proxy target requests-tlsi, -tls-impersonateexperimental TLS impersonation-j, -jsonJSONL output-sr, -store-responsestore request/response artifacts-srd, -store-response-dir <dir>custom directory for stored artifacts-silentcompact output-rl <n>requests/second cap-t <n>threads-timeout <seconds>request timeout-retries <n>retry attempts-o <file>output file
Agent-safe baseline for automation:
httpx -l hosts.txt -sc -title -server -td -fr -timeout 10 -retries 1 -rl 50 -t 25 -silent -j -o httpx.jsonl
Common patterns:
- Quick live+fingerprint check:
httpx -l hosts.txt -sc -title -server -td -silent -o httpx.txt - Probe known admin paths:
httpx -l hosts.txt -path /,/login,/admin -sc -title -silent -j -o httpx_paths.jsonl - Probe both schemes explicitly:
httpx -l hosts.txt -nf -sc -title -silent - Vhost detection pass:
httpx -l hosts.txt -vhost -sc -title -silent -j -o httpx_vhost.jsonl - Proxy-instrumented probing:
httpx -l hosts.txt -sc -title -proxy http://127.0.0.1:48080 -silent -j -o httpx_proxy.jsonl - Response-storage pass for downstream content parsing:
httpx -l hosts.txt -fr -sr -srd recon/httpx_store -sc -title -server -cl -ct -location -probe -silent
Critical correctness rules:
- For machine parsing, prefer
-j -o <file>. - Keep
-rland-texplicit for reproducible throughput. - Use
-nfwhen you need dual-scheme probing from host-only input. - When using
-pathor-ports, keep scope tight to avoid accidental scan inflation. - Use
-sr -srd <dir>when later steps need raw response artifacts (JS/route extraction, grepping, replay).
Usage rules:
- Use
-silentfor pipeline-friendly output. - Use
-mc/-fcwhen downstream steps depend on specific response classes. - Prefer
-proxyflag over global proxy env vars when only httpx traffic should be proxied. - Do not use
-h/--helpfor routine runs unless absolutely necessary.
Failure recovery:
- If too many timeouts occur, reduce
-rl/-tand/or increase-timeout. - If output is noisy, add
-fcfilters or-fdduplicate filtering. - If HTTPS-only probing misses HTTP services, rerun with
-nf(and avoid-nfs).
If uncertain, query web_search with:
site:docs.projectdiscovery.io httpx <flag> usage
Companion: wafw00f <url> fingerprints the WAF/CDN in front of a target
(Cloudflare, Akamai, AWS WAF, etc.). Run it once after httpx confirms the
host is live — the WAF identity decides whether to throttle fuzzing,
swap to evasion payload sets, or assume blocking and route differently.