Child pages
  • Mitigating Carriage Return Line Feed (CRLF) Attacks

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
maxLevel3

How can CRLF attacks be harmful? 

Carraige Return Line Feed (CRLF) attacks are also known as HTTP Response Splitting. The carriage return can be represented as CR, ASCII 13 or r which feeds out one line, and line feed as LF, ASCII 10 or n which starts a new line. If an attacker injects a malicious CRLF sequence into an HTTP stream when a user manages to submit a CRLF into an application, the attacker will gain malicious control on the way a web application functions.

Mitigating CRLF attacks

You can use the following approach to mitigate CSRF attacks.

Mitigating using the CRLF Filter

The CRLF Filter sanitizes CR & LF characters in response headers and appenders to sanitize them in logging messages.

Configuring the CSRF Filter
  1. Add the configuration seen below accordingly to enable the filter:
    • To enable the filter only to the Management Console: add it to the <PRODUCT_HOME>/repository/conf/tomcat/carbon/WEB-INF/web.xml file.
    • To enable the filter to any other web app that have access to the Carbon runtime: add it to the <WEB_APP_HOME>/WEB-INF/web.xml file.
    Code Block
    languagexml
    <web-app>
    ...
    <filter>
    <filter-name>CRLFPreventionFilter</filter-name>
    <filter-class>org.wso2.carbon.ui.filters.CRLFPreventionFilter</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>CRLFPreventionFilter</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>
    ...
    <web-app>
  2. Add the following configuration within the <Security> element of the <PRODUCT_HOME>/repository/conf/carbon.xml file.

    Code Block
    languagexml
    <Server>
    ...
    <Security>
    ...
    <CRLFPreventionConfig>
    <Enabled>true</Enabled>
    </CRLFPreventionConfig>
    ...
    </Security>
    ...
    </Server>
  3. Restart the product server.