June 23, 2026
“Bug Bounty Bootcamp #53: HTTPx — The Recon Tool”
That Probes Thousands of Subdomains in Seconds
By Aman Sharma
4 min read
You found 3,000 subdomains. Now what? Manually visiting each one would take days. HTTPx does it in minutes, giving you status codes, titles, tech stacks, and redirects — so you can focus on the juicy targets.\
Welcome back, my favorite little efficiency demons. You've collected subdomains from CT logs, Shodan, and subfinder. Now you have a massive list — 3,000+ domains. But not all of them are live. Some are dead, some redirect, some are just parked pages. Manually checking each one is impossible. Enter HTTPx — a lightning-fast tool that probes every domain on your list and spits out exactly what you need: status codes, page titles, content lengths, tech stacks, and more.
Today, we're turning that raw domain list into a prioritized target list.
1. What Is HTTPx?
HTTPx is a tool from ProjectDiscovery. It takes a list of domains or IPs and sends HTTP/HTTPS requests to each one, collecting banners, headers, and other metadata. It's fast, it's silent, and it's perfect for recon.
Why it's awesome:
- It tells you which domains are live (status codes).
- It shows you what technology is running (tech-detect).
- It follows redirects (so you know the final destination).
- It gives you the page title — often revealing "Admin" or "Login".
- It can probe non-standard ports (8080, 8443, etc.).
2. The HTTPx Flags You Actually Need
Here's the command from the course — a perfect starting point:
httpx -l paypal.txt \
-status-code \
-content-length \
-location \
-title \
-tech-detect \
-ip \
-p 80,443,8080,8443 \
-follow-redirects \
-o paypal-httpx.txthttpx -l paypal.txt \
-status-code \
-content-length \
-location \
-title \
-tech-detect \
-ip \
-p 80,443,8080,8443 \
-follow-redirects \
-o paypal-httpx.txtLet's break down every flag:
Pro tip: Don't probe every port (1–65535) — that would take forever. Stick to common web ports: 80, 443, 8080, 8443, 8000, 3000, 5000.
3. What to Look For in the Results
Once HTTPx finishes, you'll have a file with columns. Here's how to analyze it:
Status Codes
Titles
Look for keywords:
Login,Sign In,Admin,Dashboard,Portal,Internal,Dev,Staging,QA
These are your golden tickets — internal apps and admin panels.
Tech Detect
If you see PHP, Node.js, Java, Apache Tomcat, or IIS, you know the tech stack. Search for version-specific CVEs.
Content Length
If the content length is 0 or very small, it might be an empty page or an API endpoint with no response. If it's large, it's likely a full web app.
4. The Follow Redirects Trick
Some domains redirect to login.sso.target.com or app.target.com. The -location flag shows you where they go. This reveals the company's Single Sign-On (SSO) infrastructure and all the apps behind it.
Example:
https://admin.dev.paypal.com → https://paypal.com/us/loginhttps://admin.dev.paypal.com → https://paypal.com/us/loginNow you know the SSO endpoint. Search for it in Shodan or Google to find all the apps that use it.
5. Ports — Don't Forget 8080, 8443, and 8000
Most recon tools only scan 80 and 443. But internal admin panels often run on alternative ports:
In the course: The instructor included -p 80,443,8080,8443 in their HTTPx command. If you find admin.dev.target.com:8443 returning a 200, that's a new attack surface.
6. Prioritizing Your Targets (The 80/20 Rule)
After HTTPx runs, you'll have a list. Prioritize like this:
- First, test everything with
200and a juicy title (Admin, Login, Dashboard). - Next, test
302redirects – follow them and see if they land on something interesting. - Then, test
403and401– these exist, they're just locked. Try bypasses. - Finally, test non-standard ports — they often host internal tools.
Don't waste time on 404s – they're dead.
7. The Full Recon Pipeline (With HTTPx)
- Find subdomains →
subfinder -d target.com -all > subdomains.txt - Probe with HTTPx →
httpx -l subdomains.txt -status-code -title -tech-detect -follow-redirects -o live.txt - Filter the results →
grep "200" live.txt | grep -E "Login|Admin|Dashboard" > juicy.txt - Test manually → Open
juicy.txtand start hacking.
The HTTPx Hunter's Checklist
- Start with a domain list from subfinder, CT logs, or Shodan.
- Run HTTPx with the right flags — status, title, tech-detect, location, and ports.
- Wait for it to finish — grab a coffee, it's processing thousands of domains.
- Open the output file — sort by status code (200 first).
- Look for juicy titles — Admin, Login, Dashboard.
- Follow redirects — discover the SSO ecosystem.
- Probe non-standard ports — 8080, 8443, 8000.
- Create a shortlist — these are your targets for manual testing.
Pro Tips from the Course
- Use
-follow-redirectsalways. You need to know where the domain actually leads. - Save the raw output. You'll come back to it later when you're bored.
- Combine with
ffuf. Once you find a live domain, fuzz it for hidden directories. - Run HTTPx after every recon refresh. Your target's infrastructure changes constantly.
Final Boss Wisdom
HTTPx is the bridge between "I have 3,000 domains" and "I know exactly what to hack." It turns noise into signal. It tells you which pages are live, which are admin panels, and which are just empty redirects. Without it, you're guessing. With it, you're hunting.
Now go forth, you magnificent recon efficiency demon. And when you find that one admin panel on port 8080 with a 200 status, do a silent victory dance. You've earned it.
you can check this article too…
"Bug Bounty Bootcamp #52: Shodan — The Internet's Search Engine" That Shows You What Your Target Forgot to Hide
"Day 11: The Invisible Threat — Hunting for Logic Flaws in Modern Web Applications" How I Found a $750 Vulnerability by Thinking Like a Business User
"Day 15: The Phantom JS Threat — How Forgotten Code Became a Silent RCE Bomb" When Dead Code Rises From the Grave to Haunt Your Production Systems
Liked this guide? Smash that clap button 50 times (it's free dopamine), drop a comment with your favorite HTTPx flag, and highlight the part that made you go "I need to try that."
Your engagement keeps the recon train rolling.
— Your friendly neighborhood HTTPx ninja 🚀💥
P.S. If you're a dev reading this — please don't put your internal admin panel on port 8080 with default creds. We will find it. And we will laugh.