ENNAENNA

CRLFuzz

MIT

馃暩 Web ScanningGo

CRLFuzz is a fast tool to scan CRLF (Carriage Return Line Feed) injection vulnerabilities, written in Go. CRLF injection occurs when an attacker can inject \r\n characters into HTTP headers, potentially leading to HTTP response splitting, cache poisoning, cross-site scripting, and session fixation. CRLFuzz tests URLs by injecting CRLF payloads into various positions (query parameters, path, headers) and detecting whether the injected characters appear in the HTTP response headers. It supports reading URLs from stdin (integrating seamlessly with tools like httpx, waybackurls, and gau), concurrent scanning with configurable threads, custom payloads, and output in multiple formats. CRLFuzz is a focused, single-purpose scanner that does one thing well - finding CRLF injection - making it a reliable component in automated vulnerability scanning pipelines.

1.5kstars
144forks
3issues
Updated 1mo ago
+I use this
View on GitHub

Installation

Go

$ go install github.com/dwisiswant0/crlfuzz/cmd/crlfuzz@latest

brew (macOS)

$ brew install crlfuzz

Use Cases

  • Scanning URLs for CRLF injection vulnerabilities in automated pipelines
  • Detecting HTTP response splitting in query parameters and path components
  • Integrating with subdomain and URL discovery tools for large-scale scanning
  • Testing web application header handling for injection weaknesses

Tags

crlf-injectionresponse-splittingheader-injectionscannergogolangvulnerability-scannervulnerability-scanning

Details

Category
馃暩 Web Scanning
Language
Go
License
MIT
Platforms
馃惂linux馃崕macos馃獰windows

Links

GitHub Repository

github.com/dwisiswant0/crlfuzz

Releases

github.com/dwisiswant0/crlfuzz/releases

Issues

github.com/dwisiswant0/crlfuzz/issues

Sponsored

Your ad here

Reach security professionals and developers - ads@en-na.com

Used in 1 Workflow

馃暩

Web Application Penetration Test

Intermediate6 steps 路 1-5 days

Community Reviews

Alternatives & Comparisons

Nuclei

Go

Fast vulnerability scanner driven by YAML templates. Thousands of community-contributed detection templates.

Compare CRLFuzz vs Nuclei

Feroxbuster

Rust

Fast, recursive content discovery tool written in Rust. Like gobuster on steroids with auto-recursion.

Compare CRLFuzz vs Feroxbuster

ffuf

Go

Fast web fuzzer written in Go. Fuzz anything - URLs, headers, POST data - with blazing speed.

Compare CRLFuzz vs ffuf

XSStrike

Python

Advanced XSS detection suite. Fuzzing engine, context analysis, and WAF detection/bypass capabilities.

Compare CRLFuzz vs XSStrike

DalFox

Go

Parameter analysis and XSS scanner with automatic payload generation, DOM-based detection, and pipeline support.

Compare CRLFuzz vs DalFox

More in Web Scanning

httpx

Go

Fast multi-purpose HTTP toolkit. Probes for running HTTP servers with retries and fallbacks.

http-probetech-detectionprojectdiscovery

Nikto

Perl

Classic web server scanner. Tests for dangerous files, outdated server software, and version-specific problems.

web-serverclassiccgi-scan

Gobuster

Go

Directory/file, DNS, and vhost busting tool. Brute-forces URIs, DNS subdomains, virtual host names, and S3 buckets.

directory-brutedns-brutevhost

Feroxbuster

Rust

Fast, recursive content discovery tool written in Rust. Like gobuster on steroids with auto-recursion.

directory-bruterecursiverust

Burp Suite Community

Java

Web vulnerability scanner and proxy. Intercept, modify, and replay HTTP/S traffic for web app testing.

proxyweb-appinterceptor

ffuf

Go

Fast web fuzzer written in Go. Fuzz anything - URLs, headers, POST data - with blazing speed.

fuzzingdirectory-brutefast