CRLFuzz

Overview

CRLFuzz is a lightweight, fast CRLF (Carriage Return Line Feed) injection vulnerability scanner written in Go. It efficiently detects CRLF injection vulnerabilities across web applications by testing parameters and headers against multiple payloads. The tool is ideal for bug bounty hunters and penetration testers conducting security assessments on web applications.

Installation

Prerequisites

• Go 1.11+ (for building from source)
• Or download precompiled binaries

From Source

git clone https://github.com/dwisiswant0/crlfuzz.git
cd crlfuzz
go build -o crlfuzz

macOS/Linux (Binary)

wget https://github.com/dwisiswant0/crlfuzz/releases/download/v1.5.0/crlfuzz_1.5.0_linux_amd64.tar.gz
tar -xvf crlfuzz_1.5.0_linux_amd64.tar.gz
chmod +x crlfuzz

Homebrew (macOS)

brew install dwisiswant0/tap/crlfuzz

Windows

Download .exe from releases: https://github.com/dwisiswant0/crlfuzz/releases

Basic Usage

Command	Description
crlfuzz -u <url>	Scan single URL
crlfuzz -l <file>	Scan URLs from file
crlfuzz -u <url> -v	Verbose output
crlfuzz --help	Show help menu
crlfuzz -u <url> -c 10	Set concurrency level

Single URL Scanning

Basic Scan

crlfuzz -u 'http://example.com/?page=test'

With Verbose Output

crlfuzz -u 'http://example.com/?page=test' -v

Show Request/Response Details

crlfuzz -u 'http://example.com/?name=value' -v --show-req --show-resp

Batch Scanning

Scan Multiple URLs from File

crlfuzz -l urls.txt

Create urls.txt:

http://example.com/?page=test
http://example.com/?user=admin
http://example.com/?id=123

Scan All URLs with Verbose Mode

crlfuzz -l urls.txt -v

Output Results to File

crlfuzz -l urls.txt -o results.txt

Concurrency and Performance

Adjust Concurrency Level

crlfuzz -l urls.txt -c 25

Default is 10 concurrent requests. Increase for larger scans.

Maximum Concurrency

crlfuzz -l urls.txt -c 100

Use cautiously to avoid overwhelming target servers.

Timeout Configuration

crlfuzz -u 'http://example.com/?test=value' -t 30

Set timeout in seconds (default is 10 seconds).

Payload Configuration

Default Payloads

CRLFuzz includes built-in CRLF injection payloads:

%0d%0a (URL-encoded CRLF)
%0d (CR only)
%0a (LF only)
\r\n (Raw CRLF)

Custom Payload File

crlfuzz -u 'http://example.com/?page=test' -payloads custom-payloads.txt

Create custom-payloads.txt:

%0d%0a
%0d%0aSet-Cookie:admin=true
%0d%0aLocation:http://evil.com
%0d%0aX-Injected:value

Test Specific Injection Points

crlfuzz -u 'http://example.com/?param=VALUE' -payloads payloads.txt

CRLFuzz replaces VALUE with each payload.

Header Testing

Test Custom Headers

crlfuzz -u 'http://example.com/' -H 'X-Forwarded-For: test' -v

Multiple Custom Headers

crlfuzz -u 'http://example.com/' -H 'User-Agent: test' -H 'X-Custom: value'

Test All Headers

crlfuzz -u 'http://example.com/?page=test' --test-headers

Parameter Fuzzing

Scan All Parameters

crlfuzz -u 'http://example.com/?page=test&user=admin&id=123'

Automatically tests all parameters for CRLF injection.

Focus on Specific Parameter

crlfuzz -u 'http://example.com/?page=test' -param 'page'

Exclude Parameters from Testing

crlfuzz -u 'http://example.com/?page=test&id=123' -skip 'id'

Output Formats

Default Text Output

crlfuzz -u 'http://example.com/?test=value'

Output shows:

• URL
• Vulnerable parameter
• Payload used
• Response status code

JSON Output

crlfuzz -l urls.txt -o results.json -json

CSV Export

crlfuzz -l urls.txt -o results.csv -csv

Suppress Output

crlfuzz -l urls.txt -q

Quiet mode - only shows results.

Proxy Configuration

HTTP Proxy

crlfuzz -u 'http://example.com/?test=value' -proxy http://127.0.0.1:8080

SOCKS5 Proxy

crlfuzz -u 'http://example.com/?test=value' -socks5 127.0.0.1:1080

Proxy with Authentication

crlfuzz -u 'http://example.com/?test=value' -proxy http://user:pass@127.0.0.1:8080

SSL/TLS Options

Ignore SSL Certificate Errors

crlfuzz -u 'https://example.com/?test=value' --insecure

Use Custom CA Certificate

crlfuzz -u 'https://example.com/?test=value' --ca-cert /path/to/ca.crt

HTTP Methods and Request Customization

Test POST Parameters

crlfuzz -u 'http://example.com/' -method POST -data 'param=VALUE&user=test'

PUT Request

crlfuzz -u 'http://example.com/api/resource' -method PUT -data 'field=VALUE'

Custom Request Body

crlfuzz -u 'http://example.com/api' -method POST -data '{"key":"VALUE"}'

Add Request Headers

crlfuzz -u 'http://example.com/?test=VALUE' -H 'Authorization: Bearer token' -H 'Content-Type: application/json'

Response Analysis

Show Response Headers

crlfuzz -u 'http://example.com/?test=value' -v --show-resp

Show Response Body

crlfuzz -u 'http://example.com/?test=value' -v --show-body

Filter by Status Code

crlfuzz -l urls.txt --filter-status 200

Only test URLs that return status 200.

Advanced Filtering

Match Success by Response Content

crlfuzz -u 'http://example.com/?test=value' -match 'Set-Cookie'

Consider vulnerability confirmed if response contains “Set-Cookie”.

Filter Responses Containing Text

crlfuzz -l urls.txt -match 'Location:' -o vulnerable.txt

Rate Limiting

Request Delay (Milliseconds)

crlfuzz -l urls.txt -delay 100

Add 100ms delay between requests.

Requests Per Second

crlfuzz -l urls.txt -rate 10

Limit to 10 requests per second.

Common Workflows

Quick Vulnerability Scan

crlfuzz -u 'http://example.com/?page=home&user=test'

Comprehensive Bug Bounty Scan

crlfuzz -l target-urls.txt -v --show-req --show-resp -o findings.txt

Stealth Scanning

crlfuzz -l urls.txt -delay 500 -c 5 --insecure

Large-Scale Assessment

crlfuzz -l thousands-of-urls.txt -c 50 -t 30 -json -o results.json

CRLF Injection Attack Vectors

Header Injection Attack

Payload: %0d%0aSet-Cookie:admin=true
Result: Response header contains injected Set-Cookie

Response Splitting

Payload: %0d%0a%0d%0aHTTP/1.1 200 OK
Result: Ability to split HTTP response

Session Fixation

Payload: %0d%0aSet-Cookie:SESSIONID=attacker-controlled
Result: Force victim session ID

Open Redirect via Headers

Payload: %0d%0aLocation:http://evil.com
Result: Redirect user to malicious site

Cache Poisoning

Payload: %0d%0aX-Original-URL:/cache-buster
Result: Poison cached responses

Understanding CRLFuzz Output

Example Output

[CRLF] http://example.com/?page=VALUE
[PARAMETER] page
[PAYLOAD] %0d%0aSet-Cookie:admin=true
[STATUS] 200
[FOUND] Yes

Vulnerability Indicators

• Status code change after injection
• Additional headers in response
• Response splitting evidence
• Cookie manipulation detection

Detection Evasion

Randomize User-Agent

crlfuzz -u 'http://example.com/?test=value' -H 'User-Agent: Mozilla/5.0 (random)'

Vary Request Patterns

crlfuzz -l urls.txt -delay 500 -c 3

Rotate Through Payloads

crlfuzz -u 'http://example.com/?test=value' -payloads rotating-payloads.txt

Troubleshooting

Connection Timeout

crlfuzz -u 'http://slow-server.com/?test=value' -t 60

Increase timeout to 60 seconds.

Too Many Errors

crlfuzz -l urls.txt -c 5 -t 30

Reduce concurrency and increase timeout.

SSL Certificate Issues

crlfuzz -u 'https://example.com/?test=value' --insecure

Bypass SSL verification.

Not Finding Vulnerabilities

crlfuzz -u 'http://example.com/?test=value' -payloads extended-payloads.txt -v

Try with custom payloads and verbose mode.

Best Practices

1. Obtain authorization before scanning production systems
2. Start with low concurrency and increase gradually
3. Use appropriate timeouts for slow servers
4. Test parameters individually for precise results
5. Review all findings carefully for false positives
6. Combine with other scanners for comprehensive testing
7. Keep tool updated for latest payload detection

Payload Examples

Basic CRLF

%0d%0a

Header Injection

%0d%0aX-Injected-Header:value

Cookie Injection

%0d%0aSet-Cookie:name=value

Location Redirect

%0d%0aLocation:http://attacker.com

Integration with Other Tools

Pipe URLs from httpx

httpx -l domains.txt | crlfuzz -

With Wayback Machine URLs

waybackurls example.com | crlfuzz -

Combine with Parameter Fuzzer

ffuf -w params.txt -u 'http://example.com/?FUZZ=test' | crlfuzz -

Performance Tips

1. Increase concurrency for large URL lists
2. Use shorter timeouts for quick scans
3. Test parameters in separate scans if needed
4. Monitor CPU and network usage
5. Use filtering to reduce false positives

Legal Considerations

CRLFuzz is for authorized security testing only. Always obtain explicit written permission before testing any system. Unauthorized access and scanning is illegal.

Resources

• GitHub: https://github.com/dwisiswant0/crlfuzz
• CRLF Injection Guide: https://owasp.org/
• Bug Bounty Resources: https://hackerone.com/
• Community: Active GitHub discussions and issues