CRLFuzz – Hacker Tools: Injecting CRLF for bounties 👩💻
By Anna Hammond
October 5, 2021
A CRLF injection is the injection of newlines in places where the server doesn’t expect newlines. This can cause a plethora of vulnerabilities including XSS, session fixation, cookie injection, open redirect, and much more! What are we waiting for? Let’s check out CRLFuzz, the tool that can help you!
CRLFuzz ASCII art
🙋♂️ What is CRLFuzz?
CRLFuzz is a tool written in Go by @dwisiswant0 that helps you find CRLF injections with ease!
It takes a list of URLs and will attempt to inject a header using a list of payloads. If it detects that a header was successfully injected, you’ll be alerted of it. It’s as easy as that.
🐱🏍 Our first run!
Check out the video below for an example of how you can use CRLFuzz!
👷♀️ Installing CRLFuzz
Want to install CRLFuzz? Well, just download the GitHub releases, untar and done!
Download the appropriate release from the releases on Github.
Untar the file through
tar -xf fileEnjoy the
crlfuzzbinary
🕴 Command line options
What to fuzz?
-u or –url can be used to define a URL to fuzz.
-l or –list can be used to specify a file with URLs to fuzz.
What kind of request are we sending?
-X or –method can be used to specify the request method to be used. This option defaults to GET.
-d or –data can be used to define additional request data.
-H or –header can be used to set a custom header to pass to the target.
Outputting what?
-o or –output can be used to save results to a file.
-v or –verbose can be used to show more information.
-s or –silent can be used to not output anything.
Other useful options?
-c or –concurrent can be used to set how many concurrent connections will be made. The default is 25.
-x or –proxy can be used to specify a proxy.
🚧 Conclusion
CRLFuzz is a tiny, yet helpful tool to find those injection points for your secretive CRLFs. Start using it today and let’s get some bounties!
If you would like to recommend a tool for us to cover next week, then be sure to let us know down below. Also be sure to check out all the previous Hacker Tools articles, such as the last one on Waybackurls.
Did you know that there is a video accompanying this article? Check out the playlist!
You may also like
January 31, 2026
Exploiting PostMessage vulnerabilities: A complete guide
PostMessage vulnerabilities arise when developers fail to properly validate message origins or sanitize content within cross-origin communication handlers. As modern web applications increasingly rely on the postMessage API for cross-origin communication, whether for embedded widgets, OAuth flows, t
At Intigriti, we host monthly web-based Capture The Flag (CTF) challenges as a way to engage with the security researcher community. January's challenge presented participants with CRYPTIGRITI, a cryptocurrency trading platform where users could buy and trade Bitcoin (BTC), Monero (XMR), and a custo
January 12, 2026
Exploiting information disclosure vulnerabilities
Information disclosure vulnerabilities can arise in various peculiar ways, especially as applications continue to evolve and become more complex over time. Unlike some injection attacks, where several factors determine exploitability. Information disclosures can often lead to direct, standalone atta