CRLFuzz – Fast Scan CRLF Vulnerabilities Written in Go



from Binary

The installation is easy. You can download a prebuilt binary from releases page, unpack and run! or with

▶ curl -sSfL | sh -s -- -b /usr/local/bin

from Source

If you have go1.13+ compiler installed and configured:

▶ GO111MODULE=on go get -v

In order to update the tool, you can use -u flag with go get command.

from GitHub

▶ git clone
▶ cd crlfuzz/cmd/crlfuzz
▶ go build .
▶ mv crlfuzz /usr/local/bin


Basic Usage

Simply, CRLFuzz can be run with:

▶ crlfuzz -u "http://target"


▶ crlfuzz -h

This will display help for the tool. Here are all the switches it supports.

-u, –urlDefine single URL to fuzz
-l, –listFuzz URLs within file
-X, –methodSpecify request method to use (default: GET)
-o, –outputFile to save results
-d, –dataDefine request data
-H, –headerPass custom header to target
-x, –proxyUse specified proxy to fuzz
-c, –concurrentSet the concurrency level (default: 25)
-s, –silentSilent mode
-v, –verboseVerbose mode
-V, –versionShow current CRLFuzz version
-h, –helpDisplay its help


You can define a target in 3 ways:

Single URL

▶ crlfuzz -u "http://target"

URLs from list

▶ crlfuzz -l /path/to/urls.txt

from Stdin

In case you want to chained with other tools.

▶ subfinder -d target -silent | httpx -silent | crlfuzz


By default, CRLFuzz makes requests with GET method. If you want to change it, you can use the -X flag.

▶ crlfuzz -u "http://target" -X "GET"


You can also save fuzzing results to a file with -o flag.

▶ crlfuzz -l /path/to/urls.txt -o /path/to/results.txt


If you want to send a data request using POST, DELETE. PATCH or other methods, you just need to use -d flag.

▶ crlfuzz -u "http://target" -X "POST" -d "data=body"

Adding Headers

May you want to use custom headers to add cookies or other header parts.

▶ crlfuzz -u "http://target" -H "Cookie: ..." -H "User-Agent: ..."

Using Proxy

Using a proxy, proxy string can be specified with a protocol:// prefix to specify alternative proxy protocols.

▶ crlfuzz -u "http://target" -x


Concurrency is the number of fuzzing at the same time. Default value CRLFuzz provide is 25, you can change it by using -c flag.

▶ crlfuzz -l /path/to/urls.txt -c 50


If you activate this silent mode with the -s flag, you will only see vulnerable targets.

▶ crlfuzz -l /path/to/urls.txt -s | tee vuln-urls.txt


Unlike silent mode, it will display error details if there is an error with the -v flag.

▶ crlfuzz -l /path/to/urls.txt -v


To display the current version of CRLFuzz with the -V flag.

▶ crlfuzz -V


You can use CRLFuzz as a library.

package main

import (


func main() {
	target := "http://target"
	method := "GET"

	// Generates a potentially CRLF vulnerable URLs
	for _, url := range crlfuzz.GenerateURL(target) {
		// Scan against target
		vuln, err := crlfuzz.Scan(url, method, "", []string{}, "")
		if err != nil {

		if vuln {
			fmt.Printf("VULN! %s\n", url)


Please follow and like us:

Leave a Reply

Your email address will not be published. Required fields are marked *