CRLFsuite is a fast tool specially designed to scan CRLF injection.
$ git clone https://github.com/Nefcore/CRLFsuite.git
$ cd CRLFsuite
$ sudo python3 setup.py install
$ crlfsuite -h
✔️ Single URL scanning
✔️ Multiple URL scanning
✔️ WAF detection
✔️ XSS through CRLF injection
✔️ Stdin supported
✔️ GET & POST method supported
✔️ Concurrency
✔️ Powerful payloads (WAF evasion payloads are also included)
✔️ Fast and efficient scanning with negligible false-positive
| Argument | Discription |
|---|---|
| -u/–url | target URL |
| -i/–import-urls | Import targets from the file |
| -s/–stdin | Scan URLs from stdin |
| -o/–output | Path for output file |
| -m/–method | Request method (GET/POST) |
| -d/–data | POST data |
| -uA/–user-agent | Specify User-Agent |
| -To/–timeout | Connection timeout |
| -c/–cookies | Specify cookies |
| -v/–verify | Verify SSL cert. |
| -t/–threads | Number of concurrent threads |
| -sB/–skip-banner | Skip banner and args info |
| -sP/–show-payloads | Show all the available CRLF payloads |
Single URL scanning:
$ crlfsuite -u “http://testphp.vulnweb.com”
Multiple URLs scanning:
$ crlfsuite -i targets.txt
from stdin:
$ subfinder -d google.com -silent | httpx -silent | crlfsuite -s
Specifying cookies :
$ crlfsuite -u “http://testphp.vulnweb.com” –cookies “key=val; newkey=newval”
Using POST method:
$ crlfsuite -i targets.txt -m POST -d “key=val&newkey=newval”
Ubuntu 20.04 LTS (code name Focal Fossa) was released on April 23, 2020. It is a…
Google Chrome is the most widely used web browser in the world. It is fast, secure,…
Java is one of the most widely used programming languages in the world. It runs on…
Raspberry Pi is the most popular single-board computer ever made. It is small, affordable, and surprisingly…
pip is Python's package manager. It lets you search, download, and install packages from the Python Package…
MySQL is the most popular open-source relational database management system. It is fast, reliable, and a…