This documentation is for WSO2 Identity Server 5.0.0. View documentation for the latest release.
Mitigating Carriage Return Line Feed (CRLF) Attacks - Identity Server 5.0.0 - WSO2 Documentation
||
Skip to end of metadata
Go to start of metadata

The following sections describe the impact of the CRLF attack and the approaches you can use to mitigate it.

How can CRLF attacks be harmful? 

Carraige Return Line Feed (CRLF) attacks are also known as HTTP Response Splitting. The carriage return can be represented as CR, ASCII 13 or r which feeds out one line, and line feed as LF, ASCII 10 or n which starts a new line. If an attacker injects a malicious CRLF sequence into an HTTP stream when a user manages to submit a CRLF into an application, the attacker will gain malicious control on the way a web application functions.

Mitigating CRLF attacks

You can use the following approach to mitigate CSRF attacks.

Mitigating using the CRLF Filter

The CRLF Filter sanitizes CR & LF characters in response headers and appenders to sanitize them in logging messages.

Configuring the CSRF Filter
  1. Add the configuration seen below accordingly to enable the filter:
    • To enable the filter only to the Management Console: add it to the <PRODUCT_HOME>/repository/conf/tomcat/carbon/WEB-INF/web.xml file.
    • To enable the filter to any other web app that have access to the Carbon runtime: add it to the <WEB_APP_HOME>/WEB-INF/web.xml file.
    <web-app>
    ...
    <filter>
    <filter-name>CRLFPreventionFilter</filter-name>
    <filter-class>org.wso2.carbon.ui.filters.CRLFPreventionFilter</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>CRLFPreventionFilter</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>
    ...
    <web-app>
  2. Add the following configuration within the <Security> element of the <PRODUCT_HOME>/repository/conf/carbon.xml file.

    <Server>
    ...
    <Security>
    ...
    <CRLFPreventionConfig>
    <Enabled>true</Enabled>
    </CRLFPreventionConfig>
    ...
    </Security>
    ...
    </Server>
  3. Restart the product server.
  • No labels