This documentation is for WSO2 Identity Server 5.1.0 . View documentation for the latest release.
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Following sections describes the harmfulness of the CRLF attack and approaches how you can mitigate it.

How can CRLF attacks be harmful? 

CRLF attacks are also known as HTTP Response Splitting. The carriage return can be represented as CR, ASCII 13 or r which feeds out one line, and line feed as LF, ASCII 10 or n which starts a new line. If an attacker injects a malicious CRLF sequence into an HTTP stream when a user manages to submit a CRLF into an application, the attacker will gain malicious control on the way a web application functions.

Mitigating CRLF attacks

Following are the approaches you can use to mitigate CRLF attacks.

Mitigating using the CRLF Filter

The CRLF Filter sanitizes CR & LF characters in response headers and appenders to sanitize them in logging messages.

Configuring the CSRF Filter
  1. Enable the filter by adding the below configuration as follows.
    • To enable the filter only to the Management Console: add it to the <PRODUCT_HOME>/repository/conf/tomcat/carbon/WEB-INF/web.xml file.
    • To enable the filter to any other web app that have access to the Carbon runtime: add it to the <WEB_APP_HOME>/WEB-INF/web.xml file.
    <web-app>
    ...
    <filter>
    <filter-name>CRLFPreventionFilter</filter-name>
    <filter-class>org.wso2.carbon.ui.filters.CRLFPreventionFilter</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>CRLFPreventionFilter</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>
    ...
    <web-app>
  2. Add the following configuration within the <Security> element of the <PRODUCT_HOME>/repository/conf/carbon.xml file.

    <Server>
    ...
    <Security>
    ...
    <CRLFPreventionConfig>
    <Enabled>true</Enabled>
    </CRLFPreventionConfig>
    ...
    </Security>
    ...
    </Server>
  3. Restart the product server.
  • No labels