CRLFuzz - A fast tool to scan CRLF vulnerability written in Go



from Binary

The installation is easy. You can download a prebuilt binary from the releases page, unpack and run! or with

▶ curl -sSfL | sh -s -- -b /usr/local/bin

from Source

If you have go1.13+ compiler installed and configured:

▶ GO111MODULE=on go get -v

In order to update the tool, you can use -u flag with go gets command.

from GitHub

▶ git clone
▶ cd crlfuzz/cmd/crlfuzz
▶ go build .
▶ mv crlfuzz /usr/local/bin


Basic Usage

Simply, CRLFuzz can be run with:

▶ crlfuzz -u "http://target"


▶ crlfuzz -h

This will display help for the tool. Here are all the switches it supports.

Flag Description
-u, --url
Define single URL to fuzz
-l, --list
Fuzz URLs within file
-X, --method
Specify request method to use (default: GET)
-o, --output
File to save results
-d, --data
Define request data
-H, --header
Pass custom header to target
-x, --proxy
Use specified proxy to fuzz
-c, --concurrent
Set the concurrency level (default: 25)
-s, --silent
Silent mode
-v, --verbose
Verbose mode
-V, --version
Show current CRLFuzz version
-h, --help
Display its help


You can define a target in 3 ways:

Single URL

▶ crlfuzz -u "http://target"

URLs from list

▶ crlfuzz -l /path/to/urls.txt

from Stdin

In case you want to chain with other tools.

▶ subfinder -d target -silent | httpx -silent | crlfuzz


By default, CRLFuzz makes requests with GET method. If you want to change it, you can use the -X flag.

▶ crlfuzz -u "http://target" -X "GET"


You can also save fuzzing results to a file with -o flag.

▶ crlfuzz -l /path/to/urls.txt -o /path/to/results.txt


If you want to send a data request using POST, DELETE. PATCH or other methods, you just need to use -d flag.

▶ crlfuzz -u "http://target" -X "POST" -d "data=body"

Adding Headers

May you want to use custom headers to add cookies or other header parts.

▶ crlfuzz -u "http://target" -H "Cookie: ..." -H "User-Agent: ..."

Using Proxy

Using a proxy, the proxy string can be specified with a protocol:// prefix to specify alternative proxy protocols.

▶ crlfuzz -u "http://target" -x


Concurrency is the number of fuzzing at the same time. The default value CRLFuzz provide is 25, you can change it by using -c flag.

▶ crlfuzz -l /path/to/urls.txt -c 50


If you activate this silent mode with the -s flag, you will only see vulnerable targets.

▶ crlfuzz -l /path/to/urls.txt -s | tee vuln-urls.txt


Unlike silent mode, it will display error details if there is an error with the -v flag.

▶ crlfuzz -l /path/to/urls.txt -v


To display the current version of CRLFuzz with the -V flag.

▶ crlfuzz -V


You can use CRLFuzz as a library.

package main

import (


func main() {
	target := "http://target"
	method := "GET"

	// Generates a potentially CRLF vulnerable URLs
	for _, url := range crlfuzz.GenerateURL(target) {
		// Scan against target
		vuln, err := crlfuzz.Scan(url, method, "", []string{}, "")
		if err != nil {

		if vuln {
			fmt.Printf("VULN! %s\n", url)

Help & Bugs

If you are still confused or found a bug, please open the issue. All bug reports are appreciated, some features have not been tested yet due to lack of free time.


CRLFuzz released under MIT. See LICENSE for more details.


The current version is 1.4.0 and still developing.

September 21, 2020


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023