‘HowWorks’ - new post type, explains how something works, in that case CRLF vulnerability

If we can inject some data in web app that doesn’t get proper validation/filtering and used in HTTP response Headers, then we can inject \r\n (HTTP line break, CRLF).

You can think of it as stored XSS, but instead Javascript, we inject \r\n which will allow to effectivly modify entire HTTP response from server to specific endpoint.

# Tools

We have 2 good options:

## ffuf

ffuf -r -sf -ac -w ./wordlist.txt -u http://scanme.sh/FUZZ

pros:

• have great -ac which automatically filters potential false-positives
• -sf stop when > 95% of responses return 403 Forbidden
• -enc can encode wordlist with URL/base64 encoder
• you can specify multiple wordlists
• -mode can specify multiple wordlists and multiple FUZZ words (like in burp suite)
• you can specify rate limit
• more matching options
• have recursive scan
• better UI (+ have some interactive mode)

cons:

Crawler (or spider) - gets you all links that site have and reference to. It isn’t dirbusting, you can’t get hidden directories with crawler.

With crawler you can more easily find hard to find website functions or interesting links (like URL parameters example.com/get?promo=code).

# How to crawl

We will use 2 tools, katana and gau

## Katana

Fast and feature-full crawler:

• you can just crawl site - katana -u blog.ca.sual.in
• crawl .js files for additional links (-jc -jsl)
• use headless browser (in case you get blocked, -hl)
• etc…

## Gau

This one doesn’t crawl site from your computer, it uses data from public internet crawlers

Mostly fixed thing! May occure in some handwritten web-servers

Start HTTP server in 1 command!