CURL — Practical Guide

1. INTRODUCTION

curl is a command-line tool used to make HTTP requests, test APIs, download files, send forms, authenticate, and debug web applications.

It supports HTTP, HTTPS, FTP, SFTP, SMB, SMTP, and more.

Essential for pentesting, bug bounty, API testing, and automation.

2. BASIC REQUESTS

GET request:

bash
curl http://target.com

Show response headers:

bash
curl -I http://target.com

Follow redirects:

bash
curl -L http://target.com

3. SAVING OUTPUT

Save to file:

bash
curl http://target.com -o output.html

Append output:

bash
curl http://target.com >> saved.html

4. VIEW FULL RESPONSE

Verbose mode (shows connection details):

bash
curl -v http://target.com

Silent mode (no progress bar):

bash
curl -s http://target.com

Show only response body:

bash
curl -s -o - http://target.com

5. CUSTOM HEADERS

Add User-Agent:

bash
curl -H "User-Agent: Mozilla/5.0" http://target.com

Add cookies:

bash
curl -H "Cookie: session=abc123" http://target.com

Add multiple headers:

bash
curl -H "X-Test: 1" -H "X-Debug: true" http://target.com

6. POST REQUESTS

POST form data:

bash
curl -X POST -d "user=admin&pass=1234" http://target.com/login

POST JSON:

bash
curl -X POST -H "Content-Type: application/json" -d '{"user":"admin"}' http://api.target.com

POST file upload:

bash
curl -X POST -F "file=@shell.php" http://target.com/upload

7. AUTHENTICATION

Basic Auth:

bash
curl -u admin:password http://target.com

Bearer token:

bash
curl -H "Authorization: Bearer TOKEN123" http://api.target.com

API key:

bash
curl -H "X-API-Key: 12345" http://target.com

8. FILE TRANSFERS

Download file:

bash
curl -O http://target.com/file.zip

Upload via FTP:

bash
curl -T file.txt ftp://user:pass@target.com/

9. PROXY USAGE

Use Burp Suite as proxy:

bash
curl -x http://127.0.0.1:8080 http://target.com

Ignore SSL errors:

bash
curl -k https://target.com

10. RATE LIMITING & TIMING

Limit download speed:

bash
curl --limit-rate 100K http://target.com

Timeout:

bash
curl --max-time 5 http://target.com

11. FILTERING OUTPUT

Show only HTTP status code:

bash
curl -o /dev/null -s -w "%{http_code}" http://target.com

Show only IP address resolved:

bash
curl -s -o /dev/null -w "%{remote_ip}" http://target.com

12. API TESTING WORKFLOW

List resources:

bash
curl -H "Accept: application/json" http://api.target.com/items

Create new entry:

bash
curl -X POST -d '{"name":"test"}' -H "Content-Type: application/json" http://api.target.com/items

Update entry:

bash
curl -X PUT -d '{"name":"updated"}' http://api.target.com/items/1

Delete entry:

bash
curl -X DELETE http://api.target.com/items/1

13. REAL PENTEST & CTF EXAMPLES

Check if SQLi triggers error:

bash
curl -G --data-urlencode "id=' OR 1=1--" http://target.com/item

Check XSS:

bash
curl -G --data-urlencode "search=alert(1)" http://target.com

Bypass login with forged header:

bash
curl -X POST -d "user=admin&pass=wrong" -H "X-Forwarded-For: 127.0.0.1" http://target.com/login

Brute-force parameter:

bash
for i in {1..20}; do curl -s http://target.com/item?id=$i; done
← Back to tutorial