CRLFuzz : A Fast Tool To Scan CRLF Vulnerability Written In Go

CRLFuzz is a fast tool to scan CRLF vulnerability written in Go.

Installation

From Binary

The installation is easy. You can download a prebuilt binary from releases page, unpack and run! or with

curl -sSfL https://git.io/crlfuzz | sh -s — -b /usr/local/bin

From Source

If you have go1.13+ compiler installed and configured:

GO111MODULE=on go get -v github.com/dwisiswant0/crlfuzz/cmd/crlfuzz

In order to update the tool, you can use -u flag with go get command.

From GitHub

git clone https://github.com/dwisiswant0/crlfuzz
cd crlfuzz/cmd/crlfuzz
go build .
mv crlfuzz /usr/local/bin

Usage

Basic Usage
- Simply, CRLFuzz can be run with:

crlfuzz -u “http://target”

Flags

crlfuzz -h

This will display help for the tool. Here are all the switches it supports.

Flag	Description
-u, –url	Define single URL to fuzz
-l, –list	Fuzz URLs within file
-X, –method	Specify request method to use (default: GET)
-o, –output	File to save results
-d, –data	Define request data
-H, –header	Pass custom header to target
-x, –proxy	Use specified proxy to fuzz
-c, –concurrent	Set the concurrency level (default: 25)
-s, –silent	Silent mode
-v, –verbose	Verbose mode
-V, –version	Show current CRLFuzz version
-h, –help	Display its help

Target

You can define a target in 3 ways:

Single URL

crlfuzz -u “http://target”

URLs from list

crlfuzz -l /path/to/urls.txt

From Stdin

In case you want to chained with other tools.

subfinder -d target -silent | httpx -silent | crlfuzz

Method

By default, CRLFuzz makes requests with GET method. If you want to change it, you can use the -X flag.

crlfuzz -u “http://target” -X “GET”

Output

You can also save fuzzing results to a file with -o flag.

crlfuzz -l /path/to/urls.txt -o /path/to/results.txt

Data

If you want to send a data request using POST, DELETE. PATCH or other methods, you just need to use -d flag.

crlfuzz -u “http://target” -X “POST” -d “data=body”

Adding Headers

May you want to use custom headers to add cookies or other header parts.

crlfuzz -u “http://target” -H “Cookie: …” -H “User-Agent: …”

Using Proxy

Using a proxy, proxy string can be specified with a protocol:// prefix to specify alternative proxy protocols.

crlfuzz -u “http://target” -x http://127.0.0.1:8080

Concurrency

Concurrency is the number of fuzzing at the same time. Default value CRLFuzz provide is 25, you can change it by using -c flag.

crlfuzz -l /path/to/urls.txt -c 50

Silent

If you activate this silent mode with the -s flag, you will only see vulnerable targets.

crlfuzz -l /path/to/urls.txt -s | tee vuln-urls.txt

Verbose

Unlike silent mode, it will display error details if there is an error with the -v flag.

crlfuzz -l /path/to/urls.txt -v

Version

To display the current version of CRLFuzz with the -V flag.

crlfuzz -V

Library

You can use CRLFuzz as a library.

package main
import (
“fmt”
“github.com/dwisiswant0/crlfuzz/pkg/crlfuzz”
)
func main() {
target := “http://target”
method := “GET”
// Generates a potentially CRLF vulnerable URLs
for _, url := range crlfuzz.GenerateURL(target) {
// Scan against target
vuln, err := crlfuzz.Scan(url, method, “”, []string{}, “”)
if err != nil {
panic(err)
}
if vuln {
fmt.Printf(“VULN! %s\n”, url)
}
}
}