loading
loading
Misconfiguration
A fast tool to scan for CRLF vulnerabilities, written in Go.
overview
crlfuzz tests web targets for CRLF injection, the flaw that lets an attacker smuggle carriage-return and line-feed bytes into a response and split its headers. It appends encoded line-break payloads to a request, then inspects the response to see whether the injection reached the header block. Written in Go, it clears a single URL or a large list at speed with the same flags.
It drops into attack-surface automation without ceremony. Point it at one URL with -u or a file of URLs with -l, dial the concurrency with -c, and route traffic through -x when you want to watch requests in a proxy. -d, -X, and -H carry request data, switch methods, and add headers so you can reach parameters that only surface on POST or behind auth.
On Trickest, crlfuzz is a Misconfiguration node that takes a URL or a URL list and writes a file and a folder of results. Run it after a crawler or URL collector has gathered links worth testing, and set -s so the output holds only the targets that confirmed an injection.
use cases
Feed a file of collected URLs with -l and crlfuzz tests each one for line-break injection into response headers, fast enough to cover a wide scope.
Turn on -s so a large run returns only the URLs that confirmed an injection, giving you a clean list to triage or hand to the next node.
Supply request data with -d, a method with -X, and headers with -H to reach parameters that only exist on non-GET requests or behind authentication.
Raise or lower -c to balance speed against a target's tolerance, and send traffic through -x when you need to inspect requests in a proxy.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url-to-fuzz | STRING | -u | Define a single URL to fuzz. |
| url-list-to-fuzz | FILE | -l | Fuzz every URL within a file. |
| only-vulnerable-targets | BOOLEAN | -s | Show only vulnerable targets in the output. |
| concurrency-level | STRING | -c | Set the concurrency level (default 25). |
| method-to-use | STRING | -X | Request method to use (default GET). |
| Request-data | STRING | -d | Define request data for POST-style tests. |
| custom-header | STRING | -H | Pass a custom header to the target. |
| Proxy | STRING | -x | Route requests through a specified proxy. |
Showing key inputs. crlfuzz exposes 8 inputs in total.
example
# fuzz a list of collected URLs and keep only confirmed CRLF injectionscrlfuzz -l urls.txt -c 40 -s -o crlf-findings.txtcrlfuzz v1.4.1[https://github.com/dwisiswant0/crlfuzz] [VLN] https://example.com/%0d%0aSet-Cookie:crlf=1[VLN] https://app.example.com/r?url=%0d%0aLocation:https://198.51.100.24[NON] https://example.com/about[NON] https://api.example.com/v1/health[NON] https://staging.example.com/loginguidance
Use crlfuzz for fast CRLF injection scanning across a single URL or a large list. It is the quicker Go-based option; CRLFMap adds pacing and Slack alerting if you need them. Pair it with dalfox or nuclei to cover other injection classes on the same URLs.
CRLF and HTTP-splitting scanner with per-thread delay and Slack alerts. Slower, more pacing controls.
Template-driven scanner with CRLF templates among many. Broader coverage, less focused.
Parameter analysis and XSS scanner. Complements crlfuzz on the same parameterized URLs.
faq
related
Leak git repositories from misconfigured sites and rebuild their contents.
A host header injection vulnerability checker for batches of URLs.
Find files on web servers that should not be public and can pose a security risk.
A Go subdomain takeover tool that scans subdomains concurrently to find hijackable ones.
A URL list feeds crlfuzz, which fuzzes each request for CRLF injection and writes the vulnerable targets as a queryable output.
Facts on this page come from the live Trickest tool library.