GoHTTPProbe is a modern HTTP methods testing tool written in Go. It allows you to test various HTTP methods against a URL to discover HTTP verb tampering vulnerabilities and "dangerous" HTTP methods.
This tool is a reimplementation of the Python HTTPMethods utility, as there were difficulties getting it to work in modern python environments and because I just like go :)
- Test multiple HTTP methods against target URLs
- Detect supported and potentially dangerous HTTP methods
- Automatic discovery of server-supported methods via OPTIONS request
- Support for custom headers and cookies
- Option to read target URLs from a file
- JSON export for results
If you have Go installed, you may use:
go install github.com/ByteSizedMarius/gohttpprobe/cmd/ghp@latest# Clone the repository
git clone https://github.com/ByteSizedMarius/GoHTTPProbe
cd GoHTTPProbe
# Option 1: Build the binary
go build -o ghp ./cmd/ghp
# This builds a binary named 'ghp' in the current directory
# Option 2: Install to your GOPATH/bin
go install ./cmd/ghp
# This installs the binary named 'ghp' to your GOPATH/bin directoryBasic usage:
ghp -u example.comIf no protocol is specified, https:// is used.
Full options:
[~] GoHTTPProbe - HTTP Methods Tester v0.0.1
Usage: ghp -u URL [options]
Options:
  # Target selection:
  -u, --url string         Target URL (e.g., https://example.com:port/path)
  -i, --input string       Read target URLs from a file (one per line)
  # Output control:
  -v, --verbose            Enable verbose output
  -q, --quiet              Show no information at all
  -o, --output string      Save results to specified JSON file
  # Connection options:
  -k, --insecure           Allow insecure server connections (skip SSL verification)
  -f, --follow             Follow redirects
  -p, --proxy string       Use proxy for connections (e.g., http://localhost:8080)
  -n, --concurrent int     Number of concurrent requests (default: 5)
  -t, --timeout int        Timeout in seconds for HTTP requests (default: 10)
  # Request customization:
  -H, --header strings     Headers to include (e.g., -H "User-Agent: test" or -H headers.txt)
  -b, --cookies string     Cookies to use (e.g., -b "session=abc" or -b cookies.txt)
  -c, --cookie-jar string  Write received cookies to specified file
  -A, --user-agent string  User-Agent string to send
  # Method testing options:
  -s, --safe-only          Only test safe methods (exclude PUT, DELETE, etc.)
  -m, --methods string     Custom HTTP methods wordlist file
Test a single URL:
ghp -u example.comTest with custom headers:
ghp -u example.com -H "User-Agent: MyCustomAgent" -H "Authorization: Bearer token123"Test with headers from a file:
ghp -u example.com -H headers.txtTest with cookies:
ghp -u example.com -b "session=abc123; token=xyz456"Test multiple URLs from a file:
ghp -i urls.txtSave results to JSON:
ghp -u example.com -o results.jsonOnly test safe methods:
ghp -u example.com --safe-onlyUse custom HTTP methods list:
ghp -u example.com -m custom-methods.txtSet concurrency level for faster testing:
ghp -u example.com -n 10This project is based on the HTTPMethods Python utility by ShutdownRepo.
The tool uses ANSI escape sequences for colorized output in the terminal:
- Green: 200 OK responses
- Cyan: 3xx redirection responses
- Red: 4xx client error responses
- Yellow: 5xx server error responses
Colors may not display correctly in all terminals, particularly on Windows command prompt. Consider using a terminal that supports ANSI colors like Windows Terminal, PowerShell, or WSL.
The tool includes a default wordlist of HTTP methods to test located at wordlists/default.txt. You can specify your own wordlist using the -m flag.
By default, the tool sends an OPTIONS request to the target server to discover additional supported HTTP methods, which are then added to the test list. This helps in finding methods that might not be in the default wordlist but are supported by the server.
By default, the tool tests all HTTP methods, including potentially dangerous ones like PUT, DELETE, etc. These methods could modify server content if the server allows them. Use the --safe-only flag to exclude these methods from testing.
The following methods are considered potentially dangerous:
- DELETE - Can delete resources on the server
- PUT - Can create or replace resources on the server
- PATCH - Can modify resources on the server
- COPY - Can copy resources on the server
- UNCHECKOUT - Can affect version control on the server
The default list of HTTP methods tested is based on the original Python implementation, with some common methods that might be useful for security testing. Alternative wordlists are available:
- Default wordlist: wordlists/default.txt
- Burp Suite methods: wordlists/burp.txt- A more comprehensive list of methods used by Burp Suite
You can use these wordlists with the -m flag:
ghp -u example.com -m wordlists/burp.txtYou can also create your own custom wordlist file with HTTP methods and use it with the -m flag.
