CRLFsuite is a fast tool specially designed to scan CRLF injection
.
$ git clone https://github.com/Nefcore/CRLFsuite.git
$ cd CRLFsuite
$ sudo python3 setup.py install
$ crlfsuite -h
✔️ Single URL scanning
✔️ Multiple URL scanning
✔️ WAF detection
✔️ XSS through CRLF injection
✔️ Stdin supported
✔️ GET & POST method supported
✔️ Concurrency
✔️ Powerful payloads (WAF evasion payloads are also included)
✔️ Fast and efficient scanning with negligible false-positive
Argument | Discription |
---|---|
-u/--url | target URL |
-i/--import-urls | Import targets from the file |
-s/--stdin | Scan URLs from stdin |
-o/--output | Path for output file |
-m/--method | Request method (GET/POST) |
-d/--data | POST data |
-uA/--user-agent | Specify User-Agent |
-To/--timeout | Connection timeout |
-c/--cookies | Specify cookies |
-v/--verify | Verify SSL cert. |
-t/--threads | Number of concurrent threads |
-sB/--skip-banner | Skip banner and args info |
-sP/--show-payloads | Show all the available CRLF payloads |
Single URL scanning:
$ crlfsuite -u "http://testphp.vulnweb.com"
Multiple URLs scanning:
$ crlfsuite -i targets.txt
from stdin:
$ subfinder -d google.com -silent | httpx -silent | crlfsuite -s
Specifying cookies 🍪:
$ crlfsuite -u "http://testphp.vulnweb.com" --cookies "key=val; newkey=newval"
Using POST method:
$ crlfsuite -i targets.txt -m POST -d "key=val&newkey=newval"
If You're facing some errors or issues with this tool, you can open a issue here: