loading
loading
Discovery
Take screenshots of live web hosts with httpx's headless rendering at scale.
overview
httpx-screenshot wraps ProjectDiscovery httpx with screenshot capture enabled so a URL list becomes both a probe result set and a visual inventory of what each host renders.
Alongside screenshots you still get status, title, and tech signals, which makes triage faster than screenshots alone when hundreds of hosts come back from recon.
Run it after httpx or subdomain probing when analysts need a glanceable gallery before deeper crawling or scanning.
use cases
Screenshot every live host so an analyst can scan a gallery for login pages, admin panels, and default installs at a glance.
Spot forgotten staging sites, error pages, and exposed consoles by eye instead of parsing status codes for hundreds of hosts.
Set -screenshot-idle so single-page apps finish loading before the capture, avoiding blank or half-rendered shots.
Keep httpx status, title, and tech alongside each screenshot so the image and the metadata travel together for triage.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| x | STRING | -x | request methods to probe, use 'all' to probe all HTTP methods |
| ip | BOOLEAN | -ip | display host ip |
| asn | BOOLEAN | -asn | display host asn information |
| cdn | BOOLEAN | -cdn | display cdn in use |
| csv | BOOLEAN | -csv | store output in csv format |
| body | FILE | -body | post body to include in http request |
| deny | STRING | -deny | denied list of IP/CIDR's to process (comma separated) |
Showing key inputs. httpx-screenshot exposes 123 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| x | STRING | -x | request methods to probe, use 'all' to probe all HTTP methods |
| ip | BOOLEAN | -ip | display host ip |
| asn | BOOLEAN | -asn | display host asn information |
| cdn | BOOLEAN | -cdn | display cdn in use |
| csv | BOOLEAN | -csv | store output in csv format |
| body | FILE | -body | post body to include in http request |
| deny | STRING | -deny | denied list of IP/CIDR's to process (comma separated) |
| hash | STRING | -hash | display response body hash (supported: md5,mmh3,simhash,sha1,sha256,sha512) |
| jarm | BOOLEAN | -jarm | display jarm fingerprint hash |
| json | BOOLEAN | -json | store output in JSONL(ines) format |
| list | FILE | -list | input file containing list of hosts to process |
| path | STRING | -path | path or list of paths to probe (comma-separated) |
| ztls | BOOLEAN | -ztls | use ztls library with autofallback to standard one for tls13 |
| allow | STRING | -allow | allowed list of IP/CIDR's to process (comma separated) |
| cname | BOOLEAN | -cname | display host cname |
| debug | BOOLEAN | -debug | display request/response content in cli |
| delay | STRING | -delay | duration between each http request (eg: 200ms, 1s) (default -1ns) |
| http2 | BOOLEAN | -http2 | probe and display server supporting HTTP2 |
| ports | STRING | -ports | ports to probe (nmap syntax: eg http:1,2-10,11,https:80) |
| probe | BOOLEAN | -probe | display probe status |
| stats | BOOLEAN | -stats | display scan statistic |
| title | BOOLEAN | -title | display page title |
| trace | BOOLEAN | -trace | trace |
| vhost | BOOLEAN | -vhost | probe and display server supporting VHOST |
| config | FILE | -config | path to the httpx configuration file |
| header | STRING | -header | custom http headers to send with request |
| method | BOOLEAN | -method | display http request method |
| silent | BOOLEAN | -silent | silent mode |
| target | STRING | -target | input target host(s) to probe |
| unsafe | BOOLEAN | -unsafe | send raw requests skipping golang normalization |
| exclude | STRING | -exclude | exclude host matching specified filter ('cdn', 'private-ips', cidr, ip, regex) |
| favicon | BOOLEAN | -favicon | display mmh3 hash for '/favicon.ico' file |
| request | FILE | -request | file containing raw request |
| retries | STRING | -retries | number of retries |
| threads | STRING | -threads | number of threads to use (default 50) |
| timeout | STRING | -timeout | timeout in seconds (default 5) |
| verbose | BOOLEAN | -verbose | verbose mode |
| location | BOOLEAN | -location | display response redirect location |
| pipeline | BOOLEAN | -pipeline | probe and display server supporting HTTP1.1 pipeline |
| protocol | STRING | -protocol | protocol to use (unknown, http11) |
| sni-name | STRING | -sni-name | custom TLS SNI name |
| tls-grab | BOOLEAN | -tls-grab | perform TLS(SSL) data grabbing |
| csp-probe | BOOLEAN | -csp-probe | send http probes on the extracted CSP domains |
| debug-req | BOOLEAN | -debug-req | display request content in cli |
| deny-list | FILE | -deny | denied list of IP/CIDR's to process |
| match-cdn | STRING | -match-cdn | match host with specified cdn provider (azure, cloudflare, cloudfront, fastly, incapsula, oracle, google, sucuri, leaseweb, akamai) |
| no-decode | BOOLEAN | -no-decode | avoid decoding body |
| omit-body | BOOLEAN | -omit-body | omit response body in output |
| path-list | FILE | -path | list of paths to probe |
| resolvers | STRING | -resolvers | list of custom resolvers (comma separated) |
| tls-probe | BOOLEAN | -tls-probe | send http probes on the extracted TLS domains (dns_name) |
| websocket | BOOLEAN | -websocket | display server using websocket |
| allow-list | FILE | -allow | allowed list of IP/CIDR's to process |
| debug-resp | BOOLEAN | -debug-resp | display response content in cli |
| filter-cdn | STRING | -filter-cdn | filter host with specified cdn provider (azure, cloudflare, cloudfront, fastly, incapsula, oracle, google, sucuri, leaseweb, akamai) |
| http-proxy | STRING | -http-proxy | http proxy to use (eg http://127.0.0.1:8080) |
| line-count | BOOLEAN | -line-count | display response body line count |
| match-code | STRING | -match-code | match response with specified status code (-mc 200,302) |
| rate-limit | STRING | -rate-limit | maximum requests to send per second (default 150) |
| web-server | BOOLEAN | -web-server | display server name |
| word-count | BOOLEAN | -word-count | display response body word count |
| filter-code | STRING | -filter-code | filter response with specified status code (-fc 403,401) |
| header-file | FILE | -header-file | custom http headers to send with request |
| match-regex | STRING | -match-regex | match response with specified regex (-mr admin) |
| no-fallback | BOOLEAN | -no-fallback | display both probed protocol (HTTPS and HTTP) |
| status-code | BOOLEAN | -status-code | display response status-code |
| store-chain | BOOLEAN | -store-chain | include http redirect chain in responses (-sr only) |
| tech-detect | BOOLEAN | -tech-detect | display technology in use based on wappalyzer dataset |
| vhost-input | BOOLEAN | -vhost-input | get a list of vhosts as input |
| body-preview | BOOLEAN | -body-preview | display first N characters of response body (default 100) |
| content-type | BOOLEAN | -content-type | display response content-type |
| extract-fqdn | BOOLEAN | -extract-fqdn | get domain and subdomains from response body and header in jsonl/csv output |
| filter-regex | STRING | -filter-regex | filter response with specified regex (-fe admin) |
| health-check | BOOLEAN | -health-check | run diagnostic check up |
| match-length | STRING | -match-length | match response with specified content length (-ml 100,102) |
| match-string | STRING | -match-string | match response with specified string (-ms admin) |
| random-agent | BOOLEAN | -random-agent | enable Random User-Agent to use (default true) |
| respect-hsts | BOOLEAN | -respect-hsts | respect HSTS response headers for redirect requests |
| extract-regex | STRING | -extract-regex | display response content with matched regex |
| filter-length | STRING | -filter-length | filter response with specified content length (-fl 23,33) |
| filter-string | STRING | -filter-string | filter response with specified string (-fs admin) |
| include-chain | BOOLEAN | -include-chain | include redirect http chain in JSON output (-json only) |
| match-favicon | STRING | -match-favicon | match response with specified favicon hash (-mfc 1494302000) |
| max-redirects | STRING | -max-redirects | max number of redirects to follow per host (default 10) |
| probe-all-ips | BOOLEAN | -probe-all-ips | probe all the ips associated with same host |
| response-time | BOOLEAN | -response-time | display response time |
| content-length | BOOLEAN | -content-length | display response content-length |
| extract-preset | STRING | -extract-preset | display response content matched by a pre-defined regex (url,ipv4,mail) |
| filter-favicon | STRING | -filter-favicon | filter response with specified favicon hash (-mfc 1494302000) |
| max-host-error | STRING | -max-host-error | max error count per host before skipping remaining path/s (default 30) |
| resolvers-file | FILE | -resolvers | list of custom resolvers |
| stats-interval | STRING | -stats-interval | number of seconds to wait between showing a statistics update (default: 5) |
| store-response | BOOLEAN | -store-response | store http response to output directory |
| match-condition | STRING | -match-condition | match response with dsl expression condition |
| screenshot-idle | STRING | -screenshot-idle | set idle time before taking screenshot in seconds (default 1s) |
| tls-impersonate | BOOLEAN | -tls-impersonate | enable random tls client (ja3) impersonation (experimental) |
| filter-condition | STRING | -filter-condition | filter response with dsl expression condition |
| follow-redirects | BOOLEAN | -follow-redirects | follow http redirects |
| headless-options | STRING | -headless-options | start headless chrome with additional options |
| include-response | BOOLEAN | -include-response | include http request/response in JSON output (-json only) |
| match-line-count | STRING | -match-line-count | match response body with specified line count (-mlc 423,532) |
| match-word-count | STRING | -match-word-count | match response body with specified word count (-mwc 43,55) |
| filter-duplicates | BOOLEAN | -filter-duplicates | filter out near-duplicate responses (only first response is retained) |
| filter-error-page | BOOLEAN | -filter-error-page | filter response with ML based error page detection |
| filter-line-count | STRING | -filter-line-count | filter response body with specified line count (-flc 423,532) |
| filter-word-count | STRING | -filter-word-count | filter response body with specified word count (-fwc 423,532) |
| rate-limit-minute | STRING | -rate-limit-minute | maximum number of requests to send per minute |
| list-dsl-variables | BOOLEAN | -list-dsl-variables | list json output field keys name that support dsl matcher/filter |
| no-fallback-scheme | BOOLEAN | -no-fallback-scheme | probe with protocol scheme specified in input |
| screenshot-timeout | STRING | -screenshot-timeout | set timeout for screenshot in seconds (default 10) |
| csv-output-encoding | STRING | -csv-output-encoding | define output encoding |
| leave-default-ports | BOOLEAN | -leave-default-ports | leave default http/https ports in host header (eg. http://host:80 - https//host:443 |
| match-response-time | STRING | -match-response-time | match response with specified response time in seconds (-mrt '< 1') |
| filter-response-time | STRING | -filter-response-time | filter response with specified response time in seconds (-frt '> 1') |
| exclude-headless-body | BOOLEAN | -exclude-headless-body | enable excluding headless header from json output |
| follow-host-redirects | BOOLEAN | -follow-host-redirects | follow redirects on the same host |
| response-size-to-read | STRING | -response-size-to-read | max response size to read in bytes (default 2147483647) |
| response-size-to-save | STRING | -response-size-to-save | max response size to save in bytes (default 2147483647) |
| include-response-base64 | BOOLEAN | -include-response-base64 | include base64 encoded http request/response in JSON output (-json only) |
| include-response-header | BOOLEAN | -include-response-header | include http response (headers) in JSON output (-json only) |
| no-screenshot-full-page | BOOLEAN | -no-screenshot-full-page | disable saving full page screenshot |
| exclude-screenshot-bytes | BOOLEAN | -exclude-screenshot-bytes | enable excluding screenshot bytes from json output |
| store-vision-recon-cluster | BOOLEAN | -store-vision-recon-cluster | include visual recon clusters (-ss and -sr only) |
example
# httpx-screenshot: probe URLs and save page screenshotshttpx -l urls.txt -screenshot -status-code -title -json -o httpx-shots.json{"url":"https://www.example.com","status_code":200,"title":"Example","screenshot":"screenshot/www.example.com.png"}{"url":"https://api.example.com","status_code":401,"title":"Unauthorized","screenshot":"screenshot/api.example.com.png"}{"url":"https://dev.example.com","status_code":200,"title":"Dev Portal","screenshot":"screenshot/dev.example.com.png"}{"url":"https://staging.example.com","status_code":302,"title":"","screenshot":"screenshot/staging.example.com.png"}{"url":"https://mail.example.com","status_code":200,"title":"Webmail","screenshot":"screenshot/mail.example.com.png"}guidance
Use httpx-screenshot when you want visual triage of a live host list. For metadata-only probing without images, plain httpx is lighter. To bundle the captures into a single downloadable archive, use httpx-screenshot-zip.
The same toolkit without rendering. Faster when you only need status, title, and tech, not images.
Same capture, packaged into a zip archive for easy download and sharing.
Classic screenshot-and-report tool. httpx-screenshot keeps probing and capture in one engine.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
A hosts list is probed by httpx, then httpx-screenshot captures each live host and writes the screenshots as a gallery output for visual triage.
Facts on this page come from the live Trickest tool library.