CRLFuzz
Overview
Seção intitulada “Overview”CRLFuzz is a lightweight, fast CRLF (Carriage Return Line Feed) injection vulnerability scanner written in Go. It efficiently detects CRLF injection vulnerabilities across web applications by testing parameters and headers against multiple payloads. The tool is ideal for bug bounty hunters and penetration testers conducting security assessments on web applications.
Installation
Seção intitulada “Installation”Prerequisites
Seção intitulada “Prerequisites”- Go 1.11+ (for building from source)
- Or download precompiled binaries
From Source
Seção intitulada “From Source”git clone https://github.com/dwisiswant0/crlfuzz.git
cd crlfuzz
go build -o crlfuzzmacOS/Linux (Binary)
Seção intitulada “macOS/Linux (Binary)”wget https://github.com/dwisiswant0/crlfuzz/releases/download/v1.5.0/crlfuzz_1.5.0_linux_amd64.tar.gz
tar -xvf crlfuzz_1.5.0_linux_amd64.tar.gz
chmod +x crlfuzzHomebrew (macOS)
Seção intitulada “Homebrew (macOS)”brew install dwisiswant0/tap/crlfuzzWindows
Seção intitulada “Windows”Download .exe from releases: https://github.com/dwisiswant0/crlfuzz/releases
Basic Usage
Seção intitulada “Basic Usage”| Command | Description |
|---|---|
crlfuzz -u <url> | Scan single URL |
crlfuzz -l <file> | Scan URLs from file |
crlfuzz -u <url> -v | Verbose output |
crlfuzz --help | Show help menu |
crlfuzz -u <url> -c 10 | Set concurrency level |
Single URL Scanning
Seção intitulada “Single URL Scanning”Basic Scan
Seção intitulada “Basic Scan”crlfuzz -u 'http://example.com/?page=test'With Verbose Output
Seção intitulada “With Verbose Output”crlfuzz -u 'http://example.com/?page=test' -vShow Request/Response Details
Seção intitulada “Show Request/Response Details”crlfuzz -u 'http://example.com/?name=value' -v --show-req --show-respBatch Scanning
Seção intitulada “Batch Scanning”Scan Multiple URLs from File
Seção intitulada “Scan Multiple URLs from File”crlfuzz -l urls.txtCreate urls.txt:
http://example.com/?page=test
http://example.com/?user=admin
http://example.com/?id=123Scan All URLs with Verbose Mode
Seção intitulada “Scan All URLs with Verbose Mode”crlfuzz -l urls.txt -vOutput Results to File
Seção intitulada “Output Results to File”crlfuzz -l urls.txt -o results.txtConcurrency and Performance
Seção intitulada “Concurrency and Performance”Adjust Concurrency Level
Seção intitulada “Adjust Concurrency Level”crlfuzz -l urls.txt -c 25Default is 10 concurrent requests. Increase for larger scans.
Maximum Concurrency
Seção intitulada “Maximum Concurrency”crlfuzz -l urls.txt -c 100Use cautiously to avoid overwhelming target servers.
Timeout Configuration
Seção intitulada “Timeout Configuration”crlfuzz -u 'http://example.com/?test=value' -t 30Set timeout in seconds (default is 10 seconds).
Payload Configuration
Seção intitulada “Payload Configuration”Default Payloads
Seção intitulada “Default Payloads”CRLFuzz includes built-in CRLF injection payloads:
%0d%0a (URL-encoded CRLF)
%0d (CR only)
%0a (LF only)
\r\n (Raw CRLF)Custom Payload File
Seção intitulada “Custom Payload File”crlfuzz -u 'http://example.com/?page=test' -payloads custom-payloads.txtCreate custom-payloads.txt:
%0d%0a
%0d%0aSet-Cookie:admin=true
%0d%0aLocation:http://evil.com
%0d%0aX-Injected:valueTest Specific Injection Points
Seção intitulada “Test Specific Injection Points”crlfuzz -u 'http://example.com/?param=VALUE' -payloads payloads.txtCRLFuzz replaces VALUE with each payload.
Header Testing
Seção intitulada “Header Testing”Test Custom Headers
Seção intitulada “Test Custom Headers”crlfuzz -u 'http://example.com/' -H 'X-Forwarded-For: test' -vMultiple Custom Headers
Seção intitulada “Multiple Custom Headers”crlfuzz -u 'http://example.com/' -H 'User-Agent: test' -H 'X-Custom: value'Test All Headers
Seção intitulada “Test All Headers”crlfuzz -u 'http://example.com/?page=test' --test-headersParameter Fuzzing
Seção intitulada “Parameter Fuzzing”Scan All Parameters
Seção intitulada “Scan All Parameters”crlfuzz -u 'http://example.com/?page=test&user=admin&id=123'Automatically tests all parameters for CRLF injection.
Focus on Specific Parameter
Seção intitulada “Focus on Specific Parameter”crlfuzz -u 'http://example.com/?page=test' -param 'page'Exclude Parameters from Testing
Seção intitulada “Exclude Parameters from Testing”crlfuzz -u 'http://example.com/?page=test&id=123' -skip 'id'Output Formats
Seção intitulada “Output Formats”Default Text Output
Seção intitulada “Default Text Output”crlfuzz -u 'http://example.com/?test=value'Output shows:
- URL
- Vulnerable parameter
- Payload used
- Response status code
JSON Output
Seção intitulada “JSON Output”crlfuzz -l urls.txt -o results.json -jsonCSV Export
Seção intitulada “CSV Export”crlfuzz -l urls.txt -o results.csv -csvSuppress Output
Seção intitulada “Suppress Output”crlfuzz -l urls.txt -qQuiet mode - only shows results.
Proxy Configuration
Seção intitulada “Proxy Configuration”HTTP Proxy
Seção intitulada “HTTP Proxy”crlfuzz -u 'http://example.com/?test=value' -proxy http://127.0.0.1:8080SOCKS5 Proxy
Seção intitulada “SOCKS5 Proxy”crlfuzz -u 'http://example.com/?test=value' -socks5 127.0.0.1:1080Proxy with Authentication
Seção intitulada “Proxy with Authentication”crlfuzz -u 'http://example.com/?test=value' -proxy http://user:pass@127.0.0.1:8080SSL/TLS Options
Seção intitulada “SSL/TLS Options”Ignore SSL Certificate Errors
Seção intitulada “Ignore SSL Certificate Errors”crlfuzz -u 'https://example.com/?test=value' --insecureUse Custom CA Certificate
Seção intitulada “Use Custom CA Certificate”crlfuzz -u 'https://example.com/?test=value' --ca-cert /path/to/ca.crtHTTP Methods and Request Customization
Seção intitulada “HTTP Methods and Request Customization”Test POST Parameters
Seção intitulada “Test POST Parameters”crlfuzz -u 'http://example.com/' -method POST -data 'param=VALUE&user=test'PUT Request
Seção intitulada “PUT Request”crlfuzz -u 'http://example.com/api/resource' -method PUT -data 'field=VALUE'Custom Request Body
Seção intitulada “Custom Request Body”crlfuzz -u 'http://example.com/api' -method POST -data '{"key":"VALUE"}'Add Request Headers
Seção intitulada “Add Request Headers”crlfuzz -u 'http://example.com/?test=VALUE' -H 'Authorization: Bearer token' -H 'Content-Type: application/json'Response Analysis
Seção intitulada “Response Analysis”Show Response Headers
Seção intitulada “Show Response Headers”crlfuzz -u 'http://example.com/?test=value' -v --show-respShow Response Body
Seção intitulada “Show Response Body”crlfuzz -u 'http://example.com/?test=value' -v --show-bodyFilter by Status Code
Seção intitulada “Filter by Status Code”crlfuzz -l urls.txt --filter-status 200Only test URLs that return status 200.
Advanced Filtering
Seção intitulada “Advanced Filtering”Match Success by Response Content
Seção intitulada “Match Success by Response Content”crlfuzz -u 'http://example.com/?test=value' -match 'Set-Cookie'Consider vulnerability confirmed if response contains “Set-Cookie”.
Filter Responses Containing Text
Seção intitulada “Filter Responses Containing Text”crlfuzz -l urls.txt -match 'Location:' -o vulnerable.txtRate Limiting
Seção intitulada “Rate Limiting”Request Delay (Milliseconds)
Seção intitulada “Request Delay (Milliseconds)”crlfuzz -l urls.txt -delay 100Add 100ms delay between requests.
Requests Per Second
Seção intitulada “Requests Per Second”crlfuzz -l urls.txt -rate 10Limit to 10 requests per second.
Common Workflows
Seção intitulada “Common Workflows”Quick Vulnerability Scan
Seção intitulada “Quick Vulnerability Scan”crlfuzz -u 'http://example.com/?page=home&user=test'Comprehensive Bug Bounty Scan
Seção intitulada “Comprehensive Bug Bounty Scan”crlfuzz -l target-urls.txt -v --show-req --show-resp -o findings.txtStealth Scanning
Seção intitulada “Stealth Scanning”crlfuzz -l urls.txt -delay 500 -c 5 --insecureLarge-Scale Assessment
Seção intitulada “Large-Scale Assessment”crlfuzz -l thousands-of-urls.txt -c 50 -t 30 -json -o results.jsonCRLF Injection Attack Vectors
Seção intitulada “CRLF Injection Attack Vectors”Header Injection Attack
Seção intitulada “Header Injection Attack”Payload: %0d%0aSet-Cookie:admin=true
Result: Response header contains injected Set-CookieResponse Splitting
Seção intitulada “Response Splitting”Payload: %0d%0a%0d%0aHTTP/1.1 200 OK
Result: Ability to split HTTP responseSession Fixation
Seção intitulada “Session Fixation”Payload: %0d%0aSet-Cookie:SESSIONID=attacker-controlled
Result: Force victim session IDOpen Redirect via Headers
Seção intitulada “Open Redirect via Headers”Payload: %0d%0aLocation:http://evil.com
Result: Redirect user to malicious siteCache Poisoning
Seção intitulada “Cache Poisoning”Payload: %0d%0aX-Original-URL:/cache-buster
Result: Poison cached responsesUnderstanding CRLFuzz Output
Seção intitulada “Understanding CRLFuzz Output”Example Output
Seção intitulada “Example Output”[CRLF] http://example.com/?page=VALUE
[PARAMETER] page
[PAYLOAD] %0d%0aSet-Cookie:admin=true
[STATUS] 200
[FOUND] YesVulnerability Indicators
Seção intitulada “Vulnerability Indicators”- Status code change after injection
- Additional headers in response
- Response splitting evidence
- Cookie manipulation detection
Detection Evasion
Seção intitulada “Detection Evasion”Randomize User-Agent
Seção intitulada “Randomize User-Agent”crlfuzz -u 'http://example.com/?test=value' -H 'User-Agent: Mozilla/5.0 (random)'Vary Request Patterns
Seção intitulada “Vary Request Patterns”crlfuzz -l urls.txt -delay 500 -c 3Rotate Through Payloads
Seção intitulada “Rotate Through Payloads”crlfuzz -u 'http://example.com/?test=value' -payloads rotating-payloads.txtTroubleshooting
Seção intitulada “Troubleshooting”Connection Timeout
Seção intitulada “Connection Timeout”crlfuzz -u 'http://slow-server.com/?test=value' -t 60Increase timeout to 60 seconds.
Too Many Errors
Seção intitulada “Too Many Errors”crlfuzz -l urls.txt -c 5 -t 30Reduce concurrency and increase timeout.
SSL Certificate Issues
Seção intitulada “SSL Certificate Issues”crlfuzz -u 'https://example.com/?test=value' --insecureBypass SSL verification.
Not Finding Vulnerabilities
Seção intitulada “Not Finding Vulnerabilities”crlfuzz -u 'http://example.com/?test=value' -payloads extended-payloads.txt -vTry with custom payloads and verbose mode.
Best Practices
Seção intitulada “Best Practices”- Obtain authorization before scanning production systems
- Start with low concurrency and increase gradually
- Use appropriate timeouts for slow servers
- Test parameters individually for precise results
- Review all findings carefully for false positives
- Combine with other scanners for comprehensive testing
- Keep tool updated for latest payload detection
Payload Examples
Seção intitulada “Payload Examples”Basic CRLF
Seção intitulada “Basic CRLF”%0d%0aHeader Injection
Seção intitulada “Header Injection”%0d%0aX-Injected-Header:valueCookie Injection
Seção intitulada “Cookie Injection”%0d%0aSet-Cookie:name=valueLocation Redirect
Seção intitulada “Location Redirect”%0d%0aLocation:http://attacker.comIntegration with Other Tools
Seção intitulada “Integration with Other Tools”Pipe URLs from httpx
Seção intitulada “Pipe URLs from httpx”httpx -l domains.txt | crlfuzz -With Wayback Machine URLs
Seção intitulada “With Wayback Machine URLs”waybackurls example.com | crlfuzz -Combine with Parameter Fuzzer
Seção intitulada “Combine with Parameter Fuzzer”ffuf -w params.txt -u 'http://example.com/?FUZZ=test' | crlfuzz -Performance Tips
Seção intitulada “Performance Tips”- Increase concurrency for large URL lists
- Use shorter timeouts for quick scans
- Test parameters in separate scans if needed
- Monitor CPU and network usage
- Use filtering to reduce false positives
Legal Considerations
Seção intitulada “Legal Considerations”CRLFuzz is for authorized security testing only. Always obtain explicit written permission before testing any system. Unauthorized access and scanning is illegal.
Resources
Seção intitulada “Resources”- GitHub: https://github.com/dwisiswant0/crlfuzz
- CRLF Injection Guide: https://owasp.org/
- Bug Bounty Resources: https://hackerone.com/
- Community: Active GitHub discussions and issues