CRLFuzz – Bug Bounty CRLF Scanner


A fast tool to scan CRLF vulnerability written in Go



from Binary

The installation is easy. You can download a prebuilt binary from releases page, unpack and run! or with

▶ curl -sSfL dw1.io/crlfuzz.sh | sh -s -- -b /usr/local/bin

from Source

If you have go1.13+ compiler installed and configured:

▶ GO111MODULE=on go get -v dw1.io/crlfuzz/cmd/crlfuzz

In order to update the tool, you can use -u flag with go get command.

from GitHub

▶ git clone https://github.com/dwisiswant0/crlfuzz
▶ cd crlfuzz/cmd/crlfuzz
▶ go build .
▶ mv crlfuzz /usr/local/bin


Basic Usage

Simply, CRLFuzz can be run with:

▶ crlfuzz -u "http://target"


▶ crlfuzz -h

This will display help for the tool. Here are all the switches it supports.

-u, –urlDefine single URL to fuzz
-l, –listFuzz URLs within file
-X, –methodSpecify request method to use (default: GET)
-d, –dataDefine request data
-H, –headerPass custom header to target
-x, –proxyUse specified proxy to fuzz
-c, –concurrentSet the concurrency level (default: 20)
-s, –silentSilent mode
-v, –verboseVerbose mode
-V, –versionShow current CRLFuzz version
-h, –helpDisplay its help


You can define a target in 3 ways:

Single URL

▶ crlfuzz -u "http://target"

URLs from list

▶ crlfuzz -l /path/to/urls.txt

from Stdin

In case you want to chained with other tools.

▶ subfinder -d target -silent | httpx -silent | crlfuzz


By default, CRLFuzz makes requests with GET method. If you want to change it, you can use the -X flag.

▶ crlfuzz -u "http://target" -X "GET"


If you want to send a data request using POST, DELETE. PATCH or other methods, you just need to use -d flag.

▶ crlfuzz -u "http://target" -X "POST" -d "data=body"

Adding Headers

May you want to use custom headers to add cookies or other header parts.

▶ crlfuzz -u "http://target" -H "Cookie: ..." -H "User-Agent: ..."

Using Proxy

Using a proxy, proxy string can be specified with a protocol:// prefix to specify alternative proxy protocols.

▶ crlfuzz -u "http://target" -x


Concurrency is the number of fuzzing at the same time. Default value CRLFuzz provide is 20, you can change it by using -c flag.

▶ crlfuzz -l /path/to/urls.txt -c 25


If you activate this silent mode with the -s flag, you will only see vulnerable targets.

▶ crlfuzz -l /path/to/urls.txt -s | tee vuln-urls.txt


Unlike silent mode, it will display error details if there is an error with the -v flag.

▶ crlfuzz -l /path/to/urls.txt -v


To display the current version of CRLFuzz with the -V flag.

▶ crlfuzz -V


You can use CRLFuzz as a library.

package main

import (


func main() {
	target := "http://target"
	method := "GET"

	// Generates a potentially CRLF vulnerable URLs
	for _, url := range crlfuzz.GenerateURL(target) {
		// Scan against target
		vuln, err := crlfuzz.Scan(url, method, "", []string{}, "")
		if err != nil {

		if vuln {
			fmt.Printf("VULN! %s\n", url)

Help & Bugs

If you are still confused or found a bug, please open the issue. All bug reports are appreciated, some features have not been tested yet due to lack of free time.


CRLFuzz released under MIT. See LICENSE for more details.


Current version is 0.0.3 and still development.

Kali Linux 2020.3 Release (ZSH, Win-Kex, HiDPI & Bluetooth Arsenal)

Previous article

xxexploiter: Exploit XXE vulnerabilities

Next article

You may also like


Leave a reply

Your email address will not be published. Required fields are marked *

More in Hacking