loading
loading
Vulnerabilities
A tool to find HTTP splitting vulnerabilities.
overview
crlfmap tests web targets for CRLF injection, the flaw behind HTTP response splitting. It sends carriage-return and line-feed sequences inside parameters and watches whether the application reflects them into response headers, which can let an attacker forge headers, set cookies, or poison caches.
It is built to run over a file of domains with parameters rather than a single URL, so it fits attack-surface automation where parameterized links come from a crawler or archive source. Threading, timeouts, and a per-thread delay pace the scan, and a Slack webhook can push findings to a channel.
Feed it parameterized URLs after a crawler or archive miner has gathered candidates worth testing, then triage the splittable parameters it reports.
use cases
Feed a list of domains with parameters via -d and crlfmap injects line-break sequences to find where they leak into response headers.
Point --payloads at your own list to cover encodings and bypasses the default set misses, useful against filtered targets.
Set --threads, --timeout, and --delay so the scan stays within a target's tolerance during a wide run.
Send results to a Slack webhook with --slack-webhook so a scheduled scan notifies the team when a splittable parameter appears.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target-domains | FILE | -d | Location of domains with parameters to scan. |
| scan-mode | BOOLEAN | scan | Run the tool in scan mode. |
| payloads | FILE | --payloads | Location of payloads to generate on requests (default payloads.txt). |
| threads | STRING | --threads | Number of threads to run crlfmap on (default 1). |
| timeout | STRING | --timeout | Time before closing a connection that could be hung (default 10). |
| delay-milisec | STRING | --delay | Time each thread waits between requests, in milliseconds. |
| user-agent | STRING | --user-agent | User agent string for requests. |
| slack-webhook | STRING | --slack-webhook | Slack webhook to send findings to a channel. |
Showing key inputs. crlfmap exposes 9 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| threads | STRING | --threads | Number of threads to run crlfmap on (default 1) |
| timeout | STRING | --timeout | The amount of time needed to close a connection that could be hung (default 10) |
| verbose | BOOLEAN | --verbose | Verbose output. |
| payloads | FILE | --payloads | Location of payloads to generate on requests (default "payloads.txt") |
| scan-mode | BOOLEAN | scan | Scan mode |
| user-agent | STRING | --user-agent | User agent for requests (default "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36") |
| delay-milisec | STRING | --delay | The time each threads waits between requests in milliseconds |
| slack-webhook | STRING | --slack-webhook | Slack webhook to send findings to a channel |
| target-domains | FILE | -d | Location of domains with parameters to scan |
example
# scan parameterized URLs for CRLF / HTTP splittingcrlfmap scan -d targets.txt --payloads payloads.txt --threads 4 --delay 200 --timeout 10[VULN] https://www.example.com/search?q=test%0d%0aSet-Cookie:crlf=1[VULN] https://api.example.com/v1/redirect?url=https://example.com%0d%0aX-Injected:1[INFO] scanned 128 targets with 12 payloads[INFO] threads=4 delay=200ms timeout=10s[VULN] https://app.example.com/login?next=%0d%0aLocation:%20https://evil.example[DONE] 3 vulnerable parameters writtenguidance
Use CRLFMap to test parameterized URLs specifically for CRLF injection and HTTP splitting. For a faster Go-based CRLF scanner, crlfuzz is a sibling option. For broad coverage of many vulnerability classes, run nuclei alongside it.
Fast Go CRLF scanner. Lighter and quicker, fewer pacing controls than CRLFMap.
Template-driven scanner with CRLF templates among many checks. Broader, less focused.
Parameter analysis and XSS scanner. Complements CRLFMap on the same parameterized URLs.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
Accurately fingerprint and detect Netscaler and Citrix ADC versions vulnerable to CVE-2023-3519.
A list of parameterized URLs feeds CRLFMap, which injects CRLF payloads and writes the splittable parameters it finds as a queryable output.
Facts on this page come from the live Trickest tool library.