CRLFuzz is a fast tool to scan CRLF vulnerability written in Go.
Installation
The installation is easy. You can download a prebuilt binary from releases page, unpack and run! or with
curl -sSfL https://git.io/crlfuzz | sh -s — -b /usr/local/bin
If you have go1.13+ compiler installed and configured:
GO111MODULE=on go get -v github.com/dwisiswant0/crlfuzz/cmd/crlfuzz
In order to update the tool, you can use -u flag with go get command.
git clone https://github.com/dwisiswant0/crlfuzz
cd crlfuzz/cmd/crlfuzz
go build .
mv crlfuzz /usr/local/bin
Usage
crlfuzz -u “http://target”
crlfuzz -h
This will display help for the tool. Here are all the switches it supports.
| Flag | Description |
|---|---|
| -u, –url | Define single URL to fuzz |
| -l, –list | Fuzz URLs within file |
| -X, –method | Specify request method to use (default: GET) |
| -o, –output | File to save results |
| -d, –data | Define request data |
| -H, –header | Pass custom header to target |
| -x, –proxy | Use specified proxy to fuzz |
| -c, –concurrent | Set the concurrency level (default: 25) |
| -s, –silent | Silent mode |
| -v, –verbose | Verbose mode |
| -V, –version | Show current CRLFuzz version |
| -h, –help | Display its help |
You can define a target in 3 ways:
crlfuzz -u “http://target”
crlfuzz -l /path/to/urls.txt
In case you want to chained with other tools.
subfinder -d target -silent | httpx -silent | crlfuzz
By default, CRLFuzz makes requests with GET method. If you want to change it, you can use the -X flag.
crlfuzz -u “http://target” -X “GET”
You can also save fuzzing results to a file with -o flag.
crlfuzz -l /path/to/urls.txt -o /path/to/results.txt
If you want to send a data request using POST, DELETE. PATCH or other methods, you just need to use -d flag.
crlfuzz -u “http://target” -X “POST” -d “data=body”
May you want to use custom headers to add cookies or other header parts.
crlfuzz -u “http://target” -H “Cookie: …” -H “User-Agent: …”
Using a proxy, proxy string can be specified with a protocol:// prefix to specify alternative proxy protocols.
crlfuzz -u “http://target” -x http://127.0.0.1:8080
Concurrency
Concurrency is the number of fuzzing at the same time. Default value CRLFuzz provide is 25, you can change it by using -c flag.
crlfuzz -l /path/to/urls.txt -c 50
If you activate this silent mode with the -s flag, you will only see vulnerable targets.
crlfuzz -l /path/to/urls.txt -s | tee vuln-urls.txt
Unlike silent mode, it will display error details if there is an error with the -v flag.
crlfuzz -l /path/to/urls.txt -v
To display the current version of CRLFuzz with the -V flag.
crlfuzz -V
You can use CRLFuzz as a library.
package main
import (
“fmt”
“github.com/dwisiswant0/crlfuzz/pkg/crlfuzz”
)
func main() {
target := “http://target”
method := “GET”
// Generates a potentially CRLF vulnerable URLs
for _, url := range crlfuzz.GenerateURL(target) {
// Scan against target
vuln, err := crlfuzz.Scan(url, method, “”, []string{}, “”)
if err != nil {
panic(err)
}
if vuln {
fmt.Printf(“VULN! %s\n”, url)
}
}
}
Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…
Docker is one of the most widely used containerization platforms. But there may come a…
Introduction Google Dorking is a technique where advanced search operators are used to uncover information…
Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…
What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…
Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…