cURL (client URL) is a command-line tool and library that primarily supports HTTP along with many other protocols. This makes it a good candidate for scripts as well as automation, making it essential for sending various types of web requests from the command line, which is necessary for many types of web penetration tests.
Driven by command line but interaction through command line with browsers such and Chrome or Safari are a critical part of web penetration testing.
PenDraggin@htb[/htb]$ curl -h
Usage: curl [options...] <url>
**-b, --set cookie <cookie> ('cookie')
-d, --data <data> HTTP POST data
-H, --set request headers
-h, --help <category> Get help for commands
-i, --include Include protocol response headers in the output
-I, --head Send HEAD request and only display response headers
-o, --output <file> Write to file instead of stdout
-O, --remote-name Write output to a file named as the remote file
-s, --silent Silent mode
-u, --user <user:password> Server user and password
-A, --user-agent <name> Send User-Agent <name> to server
-v, --verbose Make the operation more talkative
-vvv --even more verebose - show an even more verbose output
-X POST, --send a POST request**
This is not the full help, this menu is stripped into categories.
Use "--help category" to get an overview of all categories.
Use the user manual `man curl` or the "--help all" flag for all options.
Web_Requests_Module_Cheat_Sheet.pdf
| Command | Description |
|---|---|
curl -h |
cURL help menu |
curl inlanefreight.com |
Basic GET request |
curl -s -O inlanefreight.com/index.html |
Download file |
curl -k <https://inlanefreight.com> |
Skip HTTPS (SSL) certificate validation |
curl inlanefreight.com -v |
Print full HTTP request/response details |
curl -I <https://www.inlanefreight.com> |
Send HEAD request (only prints response headers) |
curl -i <https://www.inlanefreight.com> |
Print response headers and response body |
curl <https://www.inlanefreight.com> -A 'Mozilla/5.0' |
Set User-Agent header |
curl -u admin:admin http://<SERVER_IP>:<PORT>/ |
Set HTTP basic authorization credentials |
curl <http://admin>:admin@<SERVER_IP>:<PORT>/ |
Pass HTTP basic auth credentials in the URL |
| Command | Description |
|---|---|
curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://<SERVER_IP>:<PORT>/ |
Set request header |
curl 'http://<SERVER_IP>:<PORT>/search.php?search=le' |
Pass GET parameters |
curl -X POST -d 'username=admin&password=admin' http://<SERVER_IP>:<PORT>/ |
Send POST request with POST data |
curl -b 'PHPSESSID=c1nsa6op7vtk7kdis7bcnbadf1' http://<SERVER_IP>:<PORT>/ |
Set request cookies |
curl -X POST -d '{"search":"london"}' -H 'Content-Type: application/json' http://<SERVER_IP>:<PORT>/search.php |
Send POST request with JSON data |
| Command | Description |
|---|---|
curl http://<SERVER_IP>:<PORT>/api.php/city/london |
Read entry |
| `curl -s http://<SERVER_IP>:<PORT>/api.php/city/ | jq` |
curl -X POST http://<SERVER_IP>:<PORT>/api.php/city/ -d '{"city_name":"HTB_City", "country_name":"HTB"}' -H 'Content-Type: application/json' |
Create (add) entry |
curl -X PUT http://<SERVER_IP>:<PORT>/api.php/city/london -d '{"city_name":"New_HTB_City", "country_name":"HTB"}' -H 'Content-Type: application/json' |
Update (modify) entry |
curl -X DELETE http://<SERVER_IP>:<PORT>/api.php/city/New_HTB_City |
Delete entry |
| Shortcut | Description |
|---|---|
CTRL+SHIFT+I or F12 |
Show DevTools |
CTRL+SHIFT+E |
Show Network tab |
CTRL+SHIFT+K |
Show Console tab |
| Protocols | DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS, WSS |
|---|---|
| Proxies | SOCKS4, SOCKS5, HTTP, HTTPS (HTTP/1 and HTTP/2), tunneling, via unix domain sockets, haproxy, SOCKS+HTTP proxy chain |
| HTTP | GET, POST, PUT, HEAD, multipart formpost, HTTP/0.9, HTTP/1.0, HTTP/1.1, HTTP/2 (h2c, h2, prior knowledge), HTTP/3 (dual connect h1/h2 + h3 or h3-only), HSTS, Alt-Svc, cookies, PSL, etags, transfer compression, ranges, custom headers, custom method, follow redirects |
| FTP | IPv6 (EPRT, EPSV), STLS, upload/download, append, range, passive/active, kerberos, directory listing, custom commands |
| SCP + SFTP | known hosts, md5/sha256 fingerprint, compression, upload/download, directory listing |
| TLS | 1.0 - 1.3, mutual authentication, STARTTLS, OCSP stapling, ECH, False Start, key pinning, PQC ready, session resumption, early data |
| Auth | Basic, Plain, Digest, CRAM-MD5, SCRAM-SHA, NTLM, Negotiate, Kerberos, Bearer tokens, AWS Sigv4, SASL, .netrc |
| HTTP Compression | gzip, brotli and zstd |
| Name resolving | DNS-over-HTTPS, custom address for host, name+port redirect, custom DNS servers, DNS caching |
| Connection | connection reuse, Interface binding, Happy Eyeballs, IPv4/IPv6-only, unix domain sockets, TCP keepalive, TCP Fast Open, TCP Nodelay, MPTCP, VLAN priority, IP Type Of Service |
| Transfers | transfer rate limiting, request rate limiting, stall detection, retries, timeouts |
| URLs | Unlimited amount, parallel and serial transfers, globbing |
| Output | IDN hostnames, custom info from transfer, metadata as JSON, per content-disposition, libcurl source code, bold headers |