loading
loading
Discovery
Capture web host screenshots with httpx and export them to a zip archive.
overview
httpx-screenshot-zip runs the httpx HTTP toolkit with headless capture enabled, then packs every screenshot into a single zip archive. That packaging is the point: instead of a sprawling folder of images, you get one artifact to download, attach to a report, or hand to a teammate, while each shot still carries httpx probe context like status and title.
It reads a host list or targets, probes and renders each page through headless Chrome, and writes both a results folder and the zipped gallery. Rendering controls include idle time before the shot, a screenshot timeout, full-page versus viewport capture, and extra Chrome options, alongside httpx matchers so you only keep responses worth archiving.
Wire it after a live-host prober when the deliverable is a portable gallery rather than loose files. On Trickest the node takes a hosts list and writes a file and a folder with the screenshots packaged as a zip.
use cases
Capture every live host and export the images as one zip so the result is a single artifact to download or attach to a report.
Bundle screenshots into an archive a teammate or client can open without navigating a folder tree of loose files.
Screenshot hundreds of live hosts for visual triage and ship the whole set as a compressed deliverable.
Set the idle time and screenshot timeout so dynamic and slow pages render fully before being zipped.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| list | FILE | -list | Input file containing the list of hosts to process. |
| target | STRING | -target | Input target host(s) to probe. |
| screenshot-idle | STRING | -screenshot-idle | Idle time before taking the screenshot, in seconds (default 1s). |
| screenshot-timeout | STRING | -screenshot-timeout | Timeout for the screenshot in seconds (default 10). |
| no-screenshot-full-page | BOOLEAN | -no-screenshot-full-page | Disable saving the full-page screenshot; capture the viewport only. |
| headless-options | STRING | -headless-options | Start headless Chrome with additional options. |
| threads | STRING | -threads | Number of threads to use (default 50). |
| title | BOOLEAN | -title | Display page title alongside probe results. |
Showing key inputs. httpx-screenshot-zip exposes 123 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| x | STRING | -x | request methods to probe, use 'all' to probe all HTTP methods |
| ip | BOOLEAN | -ip | display host ip |
| asn | BOOLEAN | -asn | display host asn information |
| cdn | BOOLEAN | -cdn | display cdn in use |
| csv | BOOLEAN | -csv | store output in csv format |
| body | FILE | -body | post body to include in http request |
| deny | STRING | -deny | denied list of IP/CIDR's to process (comma separated) |
| hash | STRING | -hash | display response body hash (supported: md5,mmh3,simhash,sha1,sha256,sha512) |
| jarm | BOOLEAN | -jarm | display jarm fingerprint hash |
| json | BOOLEAN | -json | store output in JSONL(ines) format |
| list | FILE | -list | input file containing list of hosts to process |
| path | STRING | -path | path or list of paths to probe (comma-separated) |
| ztls | BOOLEAN | -ztls | use ztls library with autofallback to standard one for tls13 |
| allow | STRING | -allow | allowed list of IP/CIDR's to process (comma separated) |
| cname | BOOLEAN | -cname | display host cname |
| debug | BOOLEAN | -debug | display request/response content in cli |
| delay | STRING | -delay | duration between each http request (eg: 200ms, 1s) (default -1ns) |
| http2 | BOOLEAN | -http2 | probe and display server supporting HTTP2 |
| ports | STRING | -ports | ports to probe (nmap syntax: eg http:1,2-10,11,https:80) |
| probe | BOOLEAN | -probe | display probe status |
| stats | BOOLEAN | -stats | display scan statistic |
| title | BOOLEAN | -title | display page title |
| trace | BOOLEAN | -trace | trace |
| vhost | BOOLEAN | -vhost | probe and display server supporting VHOST |
| config | FILE | -config | path to the httpx configuration file |
| header | STRING | -header | custom http headers to send with request |
| method | BOOLEAN | -method | display http request method |
| silent | BOOLEAN | -silent | silent mode |
| target | STRING | -target | input target host(s) to probe |
| unsafe | BOOLEAN | -unsafe | send raw requests skipping golang normalization |
| exclude | STRING | -exclude | exclude host matching specified filter ('cdn', 'private-ips', cidr, ip, regex) |
| favicon | BOOLEAN | -favicon | display mmh3 hash for '/favicon.ico' file |
| request | FILE | -request | file containing raw request |
| retries | STRING | -retries | number of retries |
| threads | STRING | -threads | number of threads to use (default 50) |
| timeout | STRING | -timeout | timeout in seconds (default 5) |
| verbose | BOOLEAN | -verbose | verbose mode |
| location | BOOLEAN | -location | display response redirect location |
| pipeline | BOOLEAN | -pipeline | probe and display server supporting HTTP1.1 pipeline |
| protocol | STRING | -protocol | protocol to use (unknown, http11) |
| sni-name | STRING | -sni-name | custom TLS SNI name |
| tls-grab | BOOLEAN | -tls-grab | perform TLS(SSL) data grabbing |
| csp-probe | BOOLEAN | -csp-probe | send http probes on the extracted CSP domains |
| debug-req | BOOLEAN | -debug-req | display request content in cli |
| deny-list | FILE | -deny | denied list of IP/CIDR's to process |
| match-cdn | STRING | -match-cdn | match host with specified cdn provider (azure, cloudflare, cloudfront, fastly, incapsula, oracle, google, sucuri, leaseweb, akamai) |
| no-decode | BOOLEAN | -no-decode | avoid decoding body |
| omit-body | BOOLEAN | -omit-body | omit response body in output |
| path-list | FILE | -path | list of paths to probe |
| resolvers | STRING | -resolvers | list of custom resolvers (comma separated) |
| tls-probe | BOOLEAN | -tls-probe | send http probes on the extracted TLS domains (dns_name) |
| websocket | BOOLEAN | -websocket | display server using websocket |
| allow-list | FILE | -allow | allowed list of IP/CIDR's to process |
| debug-resp | BOOLEAN | -debug-resp | display response content in cli |
| filter-cdn | STRING | -filter-cdn | filter host with specified cdn provider (azure, cloudflare, cloudfront, fastly, incapsula, oracle, google, sucuri, leaseweb, akamai) |
| http-proxy | STRING | -http-proxy | http proxy to use (eg http://127.0.0.1:8080) |
| line-count | BOOLEAN | -line-count | display response body line count |
| match-code | STRING | -match-code | match response with specified status code (-mc 200,302) |
| rate-limit | STRING | -rate-limit | maximum requests to send per second (default 150) |
| web-server | BOOLEAN | -web-server | display server name |
| word-count | BOOLEAN | -word-count | display response body word count |
| filter-code | STRING | -filter-code | filter response with specified status code (-fc 403,401) |
| header-file | FILE | -header-file | custom http headers to send with request |
| match-regex | STRING | -match-regex | match response with specified regex (-mr admin) |
| no-fallback | BOOLEAN | -no-fallback | display both probed protocol (HTTPS and HTTP) |
| status-code | BOOLEAN | -status-code | display response status-code |
| store-chain | BOOLEAN | -store-chain | include http redirect chain in responses (-sr only) |
| tech-detect | BOOLEAN | -tech-detect | display technology in use based on wappalyzer dataset |
| vhost-input | BOOLEAN | -vhost-input | get a list of vhosts as input |
| body-preview | BOOLEAN | -body-preview | display first N characters of response body (default 100) |
| content-type | BOOLEAN | -content-type | display response content-type |
| extract-fqdn | BOOLEAN | -extract-fqdn | get domain and subdomains from response body and header in jsonl/csv output |
| filter-regex | STRING | -filter-regex | filter response with specified regex (-fe admin) |
| health-check | BOOLEAN | -health-check | run diagnostic check up |
| match-length | STRING | -match-length | match response with specified content length (-ml 100,102) |
| match-string | STRING | -match-string | match response with specified string (-ms admin) |
| random-agent | BOOLEAN | -random-agent | enable Random User-Agent to use (default true) |
| respect-hsts | BOOLEAN | -respect-hsts | respect HSTS response headers for redirect requests |
| extract-regex | STRING | -extract-regex | display response content with matched regex |
| filter-length | STRING | -filter-length | filter response with specified content length (-fl 23,33) |
| filter-string | STRING | -filter-string | filter response with specified string (-fs admin) |
| include-chain | BOOLEAN | -include-chain | include redirect http chain in JSON output (-json only) |
| match-favicon | STRING | -match-favicon | match response with specified favicon hash (-mfc 1494302000) |
| max-redirects | STRING | -max-redirects | max number of redirects to follow per host (default 10) |
| probe-all-ips | BOOLEAN | -probe-all-ips | probe all the ips associated with same host |
| response-time | BOOLEAN | -response-time | display response time |
| content-length | BOOLEAN | -content-length | display response content-length |
| extract-preset | STRING | -extract-preset | display response content matched by a pre-defined regex (url,ipv4,mail) |
| filter-favicon | STRING | -filter-favicon | filter response with specified favicon hash (-mfc 1494302000) |
| max-host-error | STRING | -max-host-error | max error count per host before skipping remaining path/s (default 30) |
| resolvers-file | FILE | -resolvers | list of custom resolvers |
| stats-interval | STRING | -stats-interval | number of seconds to wait between showing a statistics update (default: 5) |
| store-response | BOOLEAN | -store-response | store http response to output directory |
| match-condition | STRING | -match-condition | match response with dsl expression condition |
| screenshot-idle | STRING | -screenshot-idle | set idle time before taking screenshot in seconds (default 1s) |
| tls-impersonate | BOOLEAN | -tls-impersonate | enable random tls client (ja3) impersonation (experimental) |
| filter-condition | STRING | -filter-condition | filter response with dsl expression condition |
| follow-redirects | BOOLEAN | -follow-redirects | follow http redirects |
| headless-options | STRING | -headless-options | start headless chrome with additional options |
| include-response | BOOLEAN | -include-response | include http request/response in JSON output (-json only) |
| match-line-count | STRING | -match-line-count | match response body with specified line count (-mlc 423,532) |
| match-word-count | STRING | -match-word-count | match response body with specified word count (-mwc 43,55) |
| filter-duplicates | BOOLEAN | -filter-duplicates | filter out near-duplicate responses (only first response is retained) |
| filter-error-page | BOOLEAN | -filter-error-page | filter response with ML based error page detection |
| filter-line-count | STRING | -filter-line-count | filter response body with specified line count (-flc 423,532) |
| filter-word-count | STRING | -filter-word-count | filter response body with specified word count (-fwc 423,532) |
| rate-limit-minute | STRING | -rate-limit-minute | maximum number of requests to send per minute |
| list-dsl-variables | BOOLEAN | -list-dsl-variables | list json output field keys name that support dsl matcher/filter |
| no-fallback-scheme | BOOLEAN | -no-fallback-scheme | probe with protocol scheme specified in input |
| screenshot-timeout | STRING | -screenshot-timeout | set timeout for screenshot in seconds (default 10) |
| csv-output-encoding | STRING | -csv-output-encoding | define output encoding |
| leave-default-ports | BOOLEAN | -leave-default-ports | leave default http/https ports in host header (eg. http://host:80 - https//host:443 |
| match-response-time | STRING | -match-response-time | match response with specified response time in seconds (-mrt '< 1') |
| filter-response-time | STRING | -filter-response-time | filter response with specified response time in seconds (-frt '> 1') |
| exclude-headless-body | BOOLEAN | -exclude-headless-body | enable excluding headless header from json output |
| follow-host-redirects | BOOLEAN | -follow-host-redirects | follow redirects on the same host |
| response-size-to-read | STRING | -response-size-to-read | max response size to read in bytes (default 2147483647) |
| response-size-to-save | STRING | -response-size-to-save | max response size to save in bytes (default 2147483647) |
| include-response-base64 | BOOLEAN | -include-response-base64 | include base64 encoded http request/response in JSON output (-json only) |
| include-response-header | BOOLEAN | -include-response-header | include http response (headers) in JSON output (-json only) |
| no-screenshot-full-page | BOOLEAN | -no-screenshot-full-page | disable saving full page screenshot |
| exclude-screenshot-bytes | BOOLEAN | -exclude-screenshot-bytes | enable excluding screenshot bytes from json output |
| store-vision-recon-cluster | BOOLEAN | -store-vision-recon-cluster | include visual recon clusters (-ss and -sr only) |
example
# probe hosts, capture screenshots, package for handoffhttpx -list hosts.txt -title -screenshot-idle 2 -screenshot-timeout 15 -threads 25 -no-screenshot-full-pagehttps://www.example.com [200] [Example Domain]https://app.example.com [200] [App Login]https://api.example.com [401] [Unauthorized]https://staging.example.com [200] [Staging]http://198.51.100.24 [302] []https://dev.example.com:8443 [200] [Dev Portal]screenshots written; archive ready as screenshots.zip6 hosts capturedguidance
Use httpx-screenshot-zip when the deliverable is a single packaged gallery. For browsing screenshots as loose files, httpx-screenshot is the same capture without the archive. For metadata-only probing, plain httpx is lighter.
Same capture engine, screenshots left as loose files instead of a zip archive.
Probing without rendering. Faster when you only need status, title, and tech, not images.
Classic screenshot-and-report tool. This node keeps probing, capture, and packaging in one step.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
A hosts list is probed by httpx, then httpx-screenshot-zip captures each live host and writes the screenshots as a single zip archive output.
Facts on this page come from the live Trickest tool library.