The following sections describe the impact of the CRLF attack and the approaches you can use to mitigate it.
How can CRLF attacks be harmful?
Carraige Return Line Feed (CRLF) attacks are also known as HTTP Response Splitting. The carriage return can be represented as CR, ASCII 10 or /r which feeds out one line, and line feed as LF, ASCII 13 or /n which starts a new line. If an attacker injects a malicious CRLF sequence into an HTTP stream when a user manages to submit a CRLF into an application, the attacker will gain malicious control on the way a web application functions.
Mitigating CRLF attacks
You can use the following approach to mitigate CSRF attacks.
Mitigating using the CRLF Filter
The CRLF Filter sanitizes CR & LF characters in response headers.
Configuring the CSRF Filter
- Add the configuration seen below accordingly to enable the filter:
- To enable the filter only to the Management Console: add it to the
<PRODUCT_HOME>/repository/conf/tomcat/carbon/WEB-INF/
web.xml
file. - To enable the filter to any other web app that have access to the Carbon runtime: add it to the
<WEB_APP_HOME>/
WEB-INF/web.xml
file.
<web-app> ... <filter> <filter-name>CRLFPreventionFilter</filter-name> <filter-class>org.wso2.carbon.ui.filters.CRLFPreventionFilter</filter-class> </filter> <filter-mapping> <filter-name>CRLFPreventionFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> ... <web-app>
- To enable the filter only to the Management Console: add it to the
Add the following configuration within the
<Security>
element of the<PRODUCT_HOME>/repository/conf/
carbon.xml
file.<Server> ... <Security> ... <CRLFPreventionConfig> <Enabled>true</Enabled> </CRLFPreventionConfig> ... </Security> ... </Server>
- Restart the product server.