CRLFsuite is a fast tool specially designed to scan CRLF injection.


$ git clone
$ cd CRLFsuite
$ sudo python3 install
$ crlfsuite -h


✔️ Single URL scanning

✔️ Multiple URL scanning

✔️ WAF detection

✔️ XSS through CRLF injection

✔️ Stdin supported

✔️ GET & POST method supported

✔️ Concurrency

✔️ Powerful payloads (WAF evasion payloads are also included)

✔️ Fast and efficient scanning with negligible false-positive


-u/–urltarget URL
-i/–import-urlsImport targets from the file
-s/–stdinScan URLs from stdin
-o/–outputPath for output file
-m/–methodRequest method (GET/POST)
-d/–dataPOST data
-uA/–user-agentSpecify User-Agent
-To/–timeoutConnection timeout
-c/–cookiesSpecify cookies
-v/–verifyVerify SSL cert.
-t/–threadsNumber of concurrent threads
-sB/–skip-bannerSkip banner and args info
-sP/–show-payloadsShow all the available CRLF payloads


Single URL scanning:

$ crlfsuite -u “”

Multiple URLs scanning:

$ crlfsuite -i targets.txt

from stdin:

$ subfinder -d -silent | httpx -silent | crlfsuite -s

Specifying cookies :

$ crlfsuite -u “” –cookies “key=val; newkey=newval”

Using POST method:

$ crlfsuite -i targets.txt -m POST -d “key=val&newkey=newval”