🚀 Quickstart

This page shows the fastest way to install OpenDoor and run common scans.

---

📦 Install

Recommended installation for most CLI users:

pipx install opendoor

Alternative installation with pip:

python3 -m pip install --upgrade opendoor

On macOS, OpenDoor can also be installed with Homebrew:

brew install opendoor

Verify the installation:

opendoor --version
opendoor --help

Show update instructions for your installation method:

opendoor --update

--update is instruction-only. It does not execute package-manager commands and should be used with the same package manager that installed OpenDoor.

---

🔎 Run a basic directory scan

opendoor --host https://example.com

By default, OpenDoor runs a directory discovery scan using the built-in directory dictionary.

---

🌍 Scan subdomains

opendoor --host example.com --scan subdomains

Use a domain name for subdomain discovery.

---

📚 Use a custom wordlist

Use a local file:

opendoor --host https://example.com --wordlist ./wordlist.txt

Use a remote HTTP(S) wordlist:

opendoor --host https://example.com --wordlist https://example.com/wordlists/admin.txt

Remote wordlists are downloaded before the scan starts and then behave like local wordlists. They are marked as external in the startup banner and are limited to 500 MB.

---

🎯 Scan multiple targets from a file

Create targets.txt:

https://example.com
https://app.example.com
example.org

Run:

opendoor --hostlist targets.txt

---

🔗 Read targets from stdin

cat targets.txt | opendoor --stdin

This is useful for pipelines and automation.

---

📊 Save reports

opendoor --host https://example.com --reports std,json,html --reports-dir ./reports

Common report formats:

Format	Usage
std	Terminal output
txt	Plain text output
json	Automation and processing
csv	Spreadsheet-friendly output
html	Human-readable report
sqlite	Structured local analysis

---

🧹 Reduce false positives

Use response filters:

opendoor --host https://example.com --exclude-status 404,429,500-599
opendoor --host https://example.com --exclude-size-range 0-256

Use auto-calibration:

opendoor --host https://example.com --auto-calibrate

Auto-calibration helps classify soft-404, wildcard, and catch-all responses.

---

🧬 Detect technologies

opendoor --host https://example.com --fingerprint

Fingerprinting attempts to identify probable CMS, frameworks, application stacks, and infrastructure providers.

---

🔐 Scan a legacy HTTPS target

Most HTTPS targets need no TLS-specific option. If a legacy server is reachable in a browser but OpenDoor reports a TLS handshake failure such as DH_KEY_TOO_SMALL, retry with explicit legacy TLS compatibility:

opendoor --host https://legacy.example.com --tls-legacy

Use this only for weak-DH compatibility. For details, see TLS compatibility.

---

🛡️ Detect WAF behavior

opendoor --host https://example.com --waf-detect

Use safe mode for a cautious scan profile:

opendoor --host https://example.com --waf-safe-mode

Safe mode is designed to reduce aggressive behavior after WAF or anti-bot signals are detected.

---

🧩 Probe Header Injection Bypass

Header Injection Bypass is an opt-in check for authorized testing of blocked 401 and 403 paths.

It sends controlled, temporary per-request headers and records exact evidence when a blocked response changes to a meaningful result.

opendoor \
  --host https://example.com \
  --method GET \
  --waf-detect \
  --header-bypass \
  --header-bypass-limit 32 \
  --reports std,json,csv,sqlite

Customize trigger statuses, trusted IP values, and tested headers:

opendoor \
  --host https://example.com \
  --method GET \
  --header-bypass \
  --header-bypass-status 401,403 \
  --header-bypass-ips 127.0.0.1,10.0.0.1 \
  --header-bypass-headers X-Original-URL,X-Rewrite-URL,X-Forwarded-For,X-Real-IP \
  --reports json,html,sqlite

Use this only on systems you own or have explicit permission to test.

---

🔁 Resume interrupted scans

Save progress:

opendoor --host https://example.com --session-save scan.session

Resume later:

opendoor --session-load scan.session

---

🌐 Use a proxy

opendoor --host https://example.com --proxy socks5://127.0.0.1:9050

Or explicitly select proxy transport:

opendoor --host https://example.com --transport proxy --proxy socks5://127.0.0.1:9050

---

🔐 Use OpenVPN transport

opendoor \
  --host https://example.com \
  --transport openvpn \
  --transport-profile ./profile.ovpn

For username/password based OpenVPN profiles:

opendoor \
  --host https://example.com \
  --transport openvpn \
  --transport-profile ./profile.ovpn \
  --openvpn-auth ./auth.txt

---

🧵 Use WireGuard transport

opendoor \
  --host https://example.com \
  --transport wireguard \
  --transport-profile ./profile.conf

Never commit real VPN private keys or credentials to the repository.

---

🧪 CI/CD example

opendoor \
  --host https://example.com \
  --header-bypass \
  --fail-on-bucket success,auth,forbidden,bypass \
  --reports json,sqlite

OpenDoor will complete the scan and return exit code 1 only if selected result buckets are found.

The bypass bucket can be used as a CI/CD signal when Header Injection Bypass candidates should fail the pipeline.

---

➡️ Next steps

Read the full Usage page for all CLI options.