{"id":13542028,"url":"https://github.com/dwisiswant0/crlfuzz","last_synced_at":"2025-05-14T06:14:12.153Z","repository":{"id":37722859,"uuid":"287130193","full_name":"dwisiswant0/crlfuzz","owner":"dwisiswant0","description":"A fast tool to scan CRLF vulnerability written in Go","archived":false,"fork":false,"pushed_at":"2025-04-04T00:00:38.000Z","size":3761,"stargazers_count":1409,"open_issues_count":2,"forks_count":146,"subscribers_count":18,"default_branch":"master","last_synced_at":"2025-04-11T00:53:02.764Z","etag":null,"topics":["crlf-injection","go","golang","vulnerability-scanner","vulnerability-scanning"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dwisiswant0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["dwisiswant0"],"custom":["https://paypal.me/dw1s","https://saweria.co/dwisiswant0","https://unstoppabledomains.com/d/dwisiswant0.crypto"]}},"created_at":"2020-08-12T22:47:35.000Z","updated_at":"2025-04-10T14:31:00.000Z","dependencies_parsed_at":"2023-02-13T21:01:34.822Z","dependency_job_id":"4344d668-6acd-4887-b6cc-776da0fec46f","html_url":"https://github.com/dwisiswant0/crlfuzz","commit_stats":{"total_commits":47,"total_committers":3,"mean_commits":"15.666666666666666","dds":0.3829787234042553,"last_synced_commit":"7a442bb03f3c337f34b1ed7664bae50bde3eb455"},"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dwisiswant0%2Fcrlfuzz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dwisiswant0%2Fcrlfuzz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dwisiswant0%2Fcrlfuzz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dwisiswant0%2Fcrlfuzz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dwisiswant0","download_url":"https://codeload.github.com/dwisiswant0/crlfuzz/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248322609,"owners_count":21084336,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crlf-injection","go","golang","vulnerability-scanner","vulnerability-scanning"],"created_at":"2024-08-01T10:01:00.364Z","updated_at":"2025-04-11T00:53:09.237Z","avatar_url":"https://github.com/dwisiswant0.png","language":"Go","funding_links":["https://github.com/sponsors/dwisiswant0","https://paypal.me/dw1s","https://saweria.co/dwisiswant0","https://unstoppabledomains.com/d/dwisiswant0.crypto"],"categories":["Exploitation","Weapons","Shell (473)","Shell","Repositories","Go","漏洞扫描"],"sub_categories":["CRLF Injection","Tools"],"readme":"# CRLFuzz\n\n[![made-with-Go](https://img.shields.io/badge/made%20with-Go-brightgreen.svg)](http://golang.org)\n[![go-report](https://goreportcard.com/badge/github.com/dwisiswant0/crlfuzz)](https://goreportcard.com/report/github.com/dwisiswant0/crlfuzz)\n[![license](https://img.shields.io/badge/license-MIT-_red.svg)](https://opensource.org/licenses/MIT)\n[![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat)](https://github.com/dwisiswant0/crlfuzz/issues)\n[![godoc](https://img.shields.io/badge/godoc-reference-brightgreen.svg)](https://godoc.org/github.com/dwisiswant0/crlfuzz)\n\nA fast tool to scan CRLF vulnerability written in Go\n\n\u003cimg src=\"https://user-images.githubusercontent.com/25837540/90128972-fc3bdf00-dd91-11ea-8c3b-0d6f4e8c6ba3.png\" height=\"350\"\u003e\n\n---\n\n## Resources\n\n- [Installation](#installation)\n\t- [from Binary](#from-binary)\n\t- [from Source](#from-source)\n\t- [from GitHub](#from-github)\n- [Usage](#usage)\n\t- [Basic Usage](#basic-usage)\n\t- [Flags](#flags)\n\t- [Target](#target)\n\t\t- [Single URL](#single-url)\n\t\t- [URLs from list](#urls-from-list)\n\t\t- [from Stdin](#from-stdin)\n\t- [Method](#method)\n\t- [Data](#data)\n\t- [Adding Headers](#adding-headers)\n\t- [Using Proxy](#using-proxy)\n\t- [Concurrency](#concurrency)\n\t- [Silent](#silent)\n\t- [Verbose](#verbose)\n\t- [Version](#version)\n\t- [Library](#library)\n- [Help \u0026 Bugs](#help--bugs)\n- [License](#license)\n- [Version](#version)\n\n## Installation\n\n### from Binary\n\nThe installation is easy. You can download a prebuilt binary from [releases page](https://github.com/dwisiswant0/crlfuzz/releases), unpack and run! or with\n\n```bash\n▶ curl -sSfL https://git.io/crlfuzz | sh -s -- -b /usr/local/bin\n```\n\n### from Source\n\nIf you have go1.13+ compiler installed and configured:\n\n```bash\n▶ GO111MODULE=on go install github.com/dwisiswant0/crlfuzz/cmd/crlfuzz@latest\n```\n\nIn order to update the tool, you can use `-u` flag with go get command.\n\n### from GitHub\n\n```bash\n▶ git clone https://github.com/dwisiswant0/crlfuzz\n▶ cd crlfuzz/cmd/crlfuzz\n▶ go build .\n▶ mv crlfuzz /usr/local/bin\n```\n\n## Usage\n\n### Basic Usage\n\nSimply, CRLFuzz can be run with:\n\n```bash\n▶ crlfuzz -u \"http://target\"\n```\n\n### Flags\n\n```bash\n▶ crlfuzz -h\n```\n\nThis will display help for the tool. Here are all the switches it supports.\n\n| Flag             \t| Description                                    \t|\n|------------------\t|------------------------------------------------\t|\n| -u, --url        \t| Define single URL to fuzz                      \t|\n| -l, --list       \t| Fuzz URLs within file                          \t|\n| -X, --method     \t| Specify request method to use _(default: GET)_ \t|\n| -o, --output     \t| File to save results                              |\n| -d, --data       \t| Define request data                            \t|\n| -H, --header     \t| Pass custom header to target                   \t|\n| -x, --proxy      \t| Use specified proxy to fuzz                       |\n| -c, --concurrent \t| Set the concurrency level _(default: 25)_      \t|\n| -s, --silent     \t| Silent mode                                    \t|\n| -v, --verbose    \t| Verbose mode                                   \t|\n| -V, --version    \t| Show current CRLFuzz version                   \t|\n| -h, --help       \t| Display its help                               \t|\n\n### Target\n\nYou can define a target in 3 ways:\n\n#### Single URL\n\n```bash\n▶ crlfuzz -u \"http://target\"\n```\n\n#### URLs from list\n\n```bash\n▶ crlfuzz -l /path/to/urls.txt\n```\n\n#### from Stdin\n\nIn case you want to chained with other tools.\n\n```bash\n▶ subfinder -d target -silent | httpx -silent | crlfuzz\n```\n\n### Method\n\nBy default, CRLFuzz makes requests with `GET` method.\nIf you want to change it, you can use the `-X` flag.\n\n```bash\n▶ crlfuzz -u \"http://target\" -X \"GET\"\n```\n\n### Output\n\nYou can also save fuzzing results to a file with `-o` flag.\n\n```bash\n▶ crlfuzz -l /path/to/urls.txt -o /path/to/results.txt\n```\n\n### Data\n\nIf you want to send a data request using POST, DELETE. PATCH or other methods, you just need to use `-d` flag.\n\n```bash\n▶ crlfuzz -u \"http://target\" -X \"POST\" -d \"data=body\"\n```\n\n### Adding Headers\n\nMay you want to use custom headers to add cookies or other header parts.\n\n```bash\n▶ crlfuzz -u \"http://target\" -H \"Cookie: ...\" -H \"User-Agent: ...\"\n```\n\n### Using Proxy\n\nUsing a proxy, proxy string can be specified with a `protocol://` prefix to specify alternative proxy protocols.\n\n```bash\n▶ crlfuzz -u \"http://target\" -x http://127.0.0.1:8080\n```\n\n### Concurrency\n\nConcurrency is the number of fuzzing at the same time. Default value CRLFuzz provide is `25`, you can change it by using `-c` flag.\n\n```bash\n▶ crlfuzz -l /path/to/urls.txt -c 50\n```\n\n### Silent\n\nIf you activate this silent mode with the `-s` flag, you will only see vulnerable targets.\n\n```bash\n▶ crlfuzz -l /path/to/urls.txt -s | tee vuln-urls.txt\n```\n\n### Verbose\n\nUnlike silent mode, it will display error details if there is an error with the `-v` flag.\n\n```bash\n▶ crlfuzz -l /path/to/urls.txt -v\n```\n\n### Version\n\nTo display the current version of CRLFuzz with the `-V` flag.\n\n```bash\n▶ crlfuzz -V\n```\n\n### Library\n\nYou can use CRLFuzz as a library.\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/dwisiswant0/crlfuzz/pkg/crlfuzz\"\n)\n\nfunc main() {\n\ttarget := \"http://target\"\n\tmethod := \"GET\"\n\n\t// Generates a potentially CRLF vulnerable URLs\n\tfor _, url := range crlfuzz.GenerateURL(target) {\n\t\t// Scan against target\n\t\tvuln, err := crlfuzz.Scan(url, method, \"\", []string{}, \"\")\n\t\tif err != nil {\n\t\t\tpanic(err)\n\t\t}\n\n\t\tif vuln {\n\t\t\tfmt.Printf(\"VULN! %s\\n\", url)\n\t\t}\n\t}\n}\n```\n\n## Help \u0026 Bugs\n\nIf you are still confused or found a bug, please [open the issue](https://github.com/dwisiswant0/crlfuzz/issues). All bug reports are appreciated, some features have not been tested yet due to lack of free time.\n\n## License\n\n**CRLFuzz** released under MIT. See `LICENSE` for more details.\n\n## Version\n\n**Current version is 1.4.0** and still development.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdwisiswant0%2Fcrlfuzz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdwisiswant0%2Fcrlfuzz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdwisiswant0%2Fcrlfuzz/lists"}