curl Cheatsheet (Web Fingerprinting)

Purpose: Manual HTTP(S) requests for header inspection, banner grabbing, fingerprinting and quick endpoint testing.

Core Flags

Flag	Description
`-I`	HEAD request (headers only)
`-i`	Include response headers in output
`-v`	Verbose (request + response, TLS info)
`-vv` / `--trace-ascii -`	Full wire trace
`-s`	Silent (no progress meter)
`-S`	Show errors even with `-s`
`-L`	Follow redirects
`-k` / `--insecure`	Ignore TLS cert errors
`-o <file>`	Write body to file
`-O`	Save with remote filename
`-A <ua>`	Set User-Agent
`-e <ref>`	Set Referer
`-H "<hdr>: <val>"`	Custom header (repeatable)
`-X <METHOD>`	HTTP method (GET, POST, PUT, DELETE, etc.)
`-d <data>`	POST body (`application/x-www-form-urlencoded`)
`--data-raw`	POST body without `@`/`&` interpretation
`--data-binary`	POST body as-is (preserve newlines)
`-F <field>=<val>`	Multipart form upload
`-b <cookie>` / `-c <file>`	Send cookie / save cookies
`-u user:pass`	HTTP Basic auth
`-x <proxy>`	Use proxy (e.g. `http://127.0.0.1:8080`)
`--resolve host:port:ip`	Force DNS resolution (Host-header testing)
`--max-time <s>`	Hard timeout
`--connect-timeout <s>`	Connect timeout
`-w "<format>"`	Write-out format (timings, codes)

curl -I https://target.tld                           # HEAD: server, framework, cookies
curl -sI https://target.tld | grep -iE 'server|x-powered-by|x-aspnet|via|set-cookie'
curl -sIL https://target.tld                         # Follow redirects, show every hop
curl -v https://target.tld 2>&1 | grep -iE '^< '     # All response headers

Verbose / TLS Inspection

curl -v https://target.tld                           # Cert chain, ALPN, ciphers
curl -vk https://target.tld                          # Ignore cert errors
curl --trace-ascii trace.log https://target.tld      # Full request/response dump
curl -v --tls-max 1.2 https://target.tld             # Pin max TLS version

Method / Verb Tampering

curl -X OPTIONS -i https://target.tld/               # Allowed methods
curl -X PUT -d "test" -i https://target.tld/file.txt
curl -X DELETE -i https://target.tld/resource/1
curl -X TRACE -i https://target.tld/                 # Cross-Site Tracing check

Virtual Host / Host Header Testing

curl -s -H "Host: dev.target.tld" http://<ip>/ -o dev.html
curl -sI --resolve target.tld:443:<ip> https://target.tld/
curl -s -H "Host: admin.internal" http://<ip>/      # Find vhosts on shared IP

Cookies & Sessions

curl -c cookies.txt -b cookies.txt https://target.tld/login
curl -b "session=abcd1234" https://target.tld/dashboard
curl -c - https://target.tld/                        # Print Set-Cookie to stdout

Authentication

curl -u admin:password https://target.tld/admin      # Basic
curl -H "Authorization: Bearer <jwt>" https://api.target.tld/
curl --ntlm -u 'DOMAIN\user:pass' https://target.tld/
curl --digest -u user:pass https://target.tld/

POST / API Testing

# Form data
curl -X POST -d "user=admin&pass=admin" https://target.tld/login

# Raw JSON
curl -X POST -H "Content-Type: application/json" \
  -d '{"user":"admin","pass":"admin"}' \
  https://target.tld/api/login

# File from disk
curl -X POST -H "Content-Type: application/json" \
  --data-binary @payload.json https://target.tld/api

# Multipart upload
curl -F "[email protected]" -F "submit=upload" https://target.tld/upload.php

Proxy (Burp / ZAP)

curl -x http://127.0.0.1:8080 -k https://target.tld/
export https_proxy=http://127.0.0.1:8080             # Per-shell proxy

Useful Write-Out Format

curl -s -o /dev/null -w \
  "code:%{http_code}  size:%{size_download}  time:%{time_total}s  redir:%{redirect_url}
" \
  https://target.tld/

Fingerprinting Recipes

# Quick stack identification
curl -sIL https://target.tld | grep -iE 'server|x-powered-by|x-generator|x-drupal|x-aspnet'

# Pull robots.txt + sitemap
curl -s https://target.tld/robots.txt
curl -s https://target.tld/sitemap.xml | head

# Search response body for tech tells
curl -s https://target.tld/ | grep -iE 'wp-content|drupal|joomla|laravel|generator='

# Check common admin / framework paths
for p in admin login wp-admin administrator phpmyadmin server-status; do
  printf "%-20s " "$p"
  curl -sk -o /dev/null -w "%{http_code}
" "https://target.tld/$p"
done

Tips

HEAD (-I) can lie or be blocked — fall back to -sI -X GET and inspect headers from a real GET.
Combine -v with -o /dev/null to inspect headers without dumping a big body.
--resolve beats editing /etc/hosts for one-off vhost checks.
-k is for testing only; never disable cert checks in production tooling.

curl Cheatsheet (Web Fingerprinting)#

Core Flags#

Banner Grabbing / Header Inspection#

Verbose / TLS Inspection#

Method / Verb Tampering#

Virtual Host / Host Header Testing#

Cookies & Sessions#

Authentication#

POST / API Testing#

Proxy (Burp / ZAP)#

Useful Write-Out Format#

Fingerprinting Recipes#

Tips#

curl Cheatsheet (Web Fingerprinting)

Core Flags

Banner Grabbing / Header Inspection

Verbose / TLS Inspection

Method / Verb Tampering

Virtual Host / Host Header Testing

Cookies & Sessions

Authentication

POST / API Testing

Proxy (Burp / ZAP)

Useful Write-Out Format

Fingerprinting Recipes

Tips