CRLFsuite is a fast tool specially designed to scan CRLF injection.
$ git clone https://github.com/Nefcore/CRLFsuite.git
$ cd CRLFsuite
$ sudo python3 setup.py install
$ crlfsuite -h✔️ Single URL scanning
✔️ Multiple URL scanning
✔️ WAF detection
✔️ XSS through CRLF injection
✔️ Stdin supported
✔️ GET & POST method supported
✔️ Concurrency
✔️ Powerful payloads (WAF evasion payloads are also included)
✔️ Fast and efficient scanning with negligible false-positive
| Argument | Discription |
|---|---|
| -u/--url | target URL |
| -i/--import-urls | Import targets from the file |
| -s/--stdin | Scan URLs from stdin |
| -o/--output | Path for output file |
| -m/--method | Request method (GET/POST) |
| -d/--data | POST data |
| -uA/--user-agent | Specify User-Agent |
| -To/--timeout | Connection timeout |
| -c/--cookies | Specify cookies |
| -v/--verify | Verify SSL cert. |
| -t/--threads | Number of concurrent threads |
| -sB/--skip-banner | Skip banner and args info |
| -sP/--show-payloads | Show all the available CRLF payloads |
Single URL scanning:
$ crlfsuite -u "http://testphp.vulnweb.com"Multiple URLs scanning:
$ crlfsuite -i targets.txt
from stdin:
$ subfinder -d google.com -silent | httpx -silent | crlfsuite -sSpecifying cookies 🍪:
$ crlfsuite -u "http://testphp.vulnweb.com" --cookies "key=val; newkey=newval"Using POST method:
$ crlfsuite -i targets.txt -m POST -d "key=val&newkey=newval"If You're facing some errors or issues with this tool, you can open a issue here: