Read a raw HTTP request from a file and use it as the request template
--raw-request-proto
https
Scheme for --raw-request when the request line is origin-form (http or https)
--cookies
Fetch and include cookies
-d, --delay
0
Delay between requests in milliseconds
-j, --concurrency
1
Number of URLs to scan concurrently
-x, --proxy
HTTP proxy URL (e.g., http://127.0.0.1:8080)
Detection
Option
Default
Description
-c, --checks
all
Checks to run (comma-separated)
-1, --exit-first
Stop after first vulnerability
--fingerprint
Enable proxy fingerprinting
--fuzz
Enable mutation-based fuzzing
--fuzz-seed
42
Mutation seed for reproducibility
--max-payloads
Maximum payloads to test per check type
--baseline-count
3
Number of baseline requests for timing measurement
Available checks: cl-te, te-cl, te-te, h2c, h2, cl-edge
Output
Option
Default
Description
-o, --output
Save results to file
-f, --format
plain
Output format: plain or json
-V, --verbose
Enable detailed logging
-q, --quiet
Quiet mode (only show vulnerabilities)
--export-payloads
Export vulnerable payloads to directory
--no-color
Disable colored output
Exploitation
Option
Default
Description
-e, --exploit
Exploit types (comma-separated)
--exploit-ports
22,80,443,8080,3306
Ports to test (localhost-access)
--exploit-wordlist
Wordlist for path-fuzz
--smuggle-request
Inner request for smuggle/capture
--reveal-endpoint
scanned path
Reflecting endpoint for reveal
--reveal-param
q
Reflected form parameter for reveal
Available exploits: localhost-access, path-fuzz, smuggle, capture, reveal
Examples
# Full scan with fingerprinting and fuzzing
smugglex --fingerprint --fuzz https://target.com
# Custom headers and timeout
smugglex -H "Authorization: Bearer token" -t 15 https://target.com
# Replay a captured request (e.g. exported from Burp Suite) as the template.
# Method, request-target, Host and headers (cookies, auth, ...) are reused;
# the target is taken from the Host header. The request-target is sent verbatim
# — dot-segments, matrix params and '#' are preserved, not normalized — for both
# origin-form (POST /path ...) and absolute-form (GET http://...) request lines,
# so path-based payloads survive. The body is replaced by the generated smuggling
# payloads, and Content-Length / Transfer-Encoding are managed by smugglex.
smugglex --raw-request request.txt
# Same, but the captured request targets a plain-HTTP service
smugglex --raw-request request.txt --raw-request-proto http
# -H is additive on top of the captured headers (e.g. add a collaborator marker)
smugglex --raw-request request.txt -H "X-Collab: abcd.oastify.com"
# Route through a proxy (e.g., Burp Suite)
smugglex -x http://127.0.0.1:8080 https://target.com
# Quick scan with limited payloads
smugglex --max-payloads 10 https://target.com
# Quiet mode — only show vulnerabilities
smugglex -q https://target.com
# Adjust baseline measurements for noisy networks
smugglex --baseline-count 5 https://target.com
# Exploit with custom ports
smugglex -e localhost-access --exploit-ports 80,8080,9090 https://target.com