Web

Web Tools Cheatsheet

For full methodology and test-by-test checklists, see Web Application.

---

curl

# Basic GET
curl http://target.com
 
# Headers only
curl -I http://target.com
 
# Verbose (full request + response)
curl -v http://target.com
 
# Follow redirects
curl -L http://target.com
 
# Accept self-signed certs
curl -k https://target.com
 
# Add header
curl -H 'Cookie: session=abc123' http://target.com
curl -H 'Authorization: Bearer <token>' http://target.com
 
# POST with JSON body
curl -X POST http://target.com/api -H 'Content-Type: application/json' -d '{"key":"value"}'
 
# POST form data
curl -X POST http://target.com/login -d 'user=admin&pass=password'
 
# Basic auth
curl -u username:password http://target.com
 
# PUT/DELETE
curl -X PUT http://target.com/resource -d '{"update":"val"}'
curl -X DELETE http://target.com/resource/1
 
# Save response to file
curl -o output.html http://target.com
 
# Upload file
curl -F "file=@/path/to/file.txt" http://target.com/upload
 
# Use proxy (e.g. Burp)
curl -x http://127.0.0.1:8080 -k https://target.com
 
# Set custom User-Agent
curl -A "Mozilla/5.0" http://target.com

---

wget

# Download file
wget http://target.com/file.txt
 
# Recursive site download
wget -r -np -k http://target.com/
 
# Save with original filename
wget -O output.html http://target.com
 
# Use proxy
wget -e http_proxy=127.0.0.1:8080 http://target.com

---

httpx

Fast HTTP probing across a list of hosts/IPs.

# Probe list of hosts, show status codes and titles
cat hosts.txt | httpx -status-code -title
 
# Filter by status code
cat hosts.txt | httpx -mc 200,301,302
 
# Detect tech stack
cat hosts.txt | httpx -tech-detect
 
# Show content length and server header
cat hosts.txt | httpx -content-length -server
 
# Save live hosts
cat hosts.txt | httpx -o live.txt
 
# Probe on specific port
cat hosts.txt | httpx -ports 8080,8443,8888

---

ffuf

Directory/parameter fuzzing.

# Directory brute force
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
 
# Subdomain fuzzing
ffuf -u http://FUZZ.target.com -w subdomains.txt -H "Host: FUZZ.target.com"
 
# POST parameter fuzzing
ffuf -u http://target.com/login -X POST -d 'user=FUZZ&pass=admin' -w users.txt
 
# Filter by status code
ffuf -u http://target.com/FUZZ -w wordlist.txt -fc 404
 
# Filter by response size
ffuf -u http://target.com/FUZZ -w wordlist.txt -fs 1234
 
# Match on string in response
ffuf -u http://target.com/FUZZ -w wordlist.txt -mr "Welcome"
 
# Extensions
ffuf -u http://target.com/FUZZ -w wordlist.txt -e .php,.html,.bak,.txt
 
# Rate limit
ffuf -u http://target.com/FUZZ -w wordlist.txt -rate 50
 
# Use proxy (Burp)
ffuf -u http://target.com/FUZZ -w wordlist.txt -x http://127.0.0.1:8080

---

feroxbuster

Recursive content discovery.

# Basic scan
feroxbuster -u http://target.com -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt
 
# Recursive with extensions
feroxbuster -u http://target.com -w wordlist.txt -x php,html,bak
 
# Ignore TLS
feroxbuster -u https://target.com -w wordlist.txt -k
 
# Filter status codes
feroxbuster -u http://target.com -w wordlist.txt --filter-status 404,403
 
# Set threads
feroxbuster -u http://target.com -w wordlist.txt -t 50
 
# Output to file
feroxbuster -u http://target.com -w wordlist.txt -o results.txt

---

Nuclei

Template-based vulnerability scanner.

# Scan with all templates
nuclei -u http://target.com
 
# Scan a list of targets
nuclei -l targets.txt
 
# Specific template categories
nuclei -u http://target.com -t technologies/
nuclei -u http://target.com -t cves/
nuclei -u http://target.com -t exposures/
nuclei -u http://target.com -t vulnerabilities/
 
# Specific severity
nuclei -u http://target.com -severity critical,high
 
# Run a single template
nuclei -u http://target.com -t /path/to/template.yaml
 
# Output
nuclei -u http://target.com -o nuclei-results.txt -json
 
# Update templates
nuclei -update-templates

---

Nikto

Web server misconfiguration scanner.

# Basic scan
nikto -h http://target.com
 
# Specify port
nikto -h target.com -p 8080
 
# Use SSL
nikto -h https://target.com -ssl
 
# Through proxy
nikto -h http://target.com -useproxy http://127.0.0.1:8080
 
# Save output
nikto -h http://target.com -o nikto.txt -Format txt

---

Gobuster

Directory and DNS brute-forcing.

# Directory mode
gobuster dir -u http://target.com -w wordlist.txt
 
# DNS mode (subdomain enum)
gobuster dns -d target.com -w subdomains.txt
 
# VHOST mode
gobuster vhost -u http://target.com -w vhosts.txt
 
# With extensions
gobuster dir -u http://target.com -w wordlist.txt -x php,txt,html
 
# Ignore SSL
gobuster dir -u https://target.com -w wordlist.txt -k

---

Burp Suite Tips

# Quick proxy setup
Browser → 127.0.0.1:8080 → install Burp CA cert at http://burp

# Intercept toggle: Ctrl+T (Proxy tab)
# Send to Repeater: Ctrl+R
# Send to Intruder: Ctrl+I
# Forward request: Ctrl+F
# Search in response: Ctrl+F (in response pane)

Useful extensions:

• Autorize — Automated access control testing
• Param Miner — Hidden parameter discovery
• JWT Editor — JWT manipulation
• Turbo Intruder — High-speed fuzzing
• Upload Scanner — File upload vulnerability testing
• CSRF Scanner — CSRF detection

---

testssl.sh

TLS configuration analysis.

# Full scan
testssl.sh https://target.com
 
# Check specific issues
testssl.sh --heartbleed --poodle --beast https://target.com
 
# Output to JSON
testssl.sh --jsonfile results.json https://target.com

---

See Also

• Web Application — Full web app pentest methodology & checklist
• Scanning — Port and service scanning