csrfwso2crlf-vulnerabilitywso2-identity-server

WSO2 IS 5.2.0 CSRF Protection via CSRFGuard and/or CSRF Filter/Valve?


The documentation of WSO2 Identity Server 5.2.0 describes the usage of CSRF Filter or CSRF Valve as a way to mitigate CSRF attacks - see: WSO2 IS 5.2.0 Documentation. The configuration for that was available in carbon.xml of IS 5.1.0 but is missing in IS 5.2.0.

Instead IS 5.2.0 is using OWASP CSRF Guard as described in WSO2 Carbon Documentation.

My question is: Should I activate both protection mechanism or is CSRF Guard sufficient?

Add-on question: CRLFPreventionConfig disappeared in 5.2.0 as well. Is that still needed and should be added to the carbon.xml file?


Solution

  • With WSO2 IS 5.2.0, (or to be precise, WSO2 Carbon Kernel 4.4.6+ based products) are using an unified CSRF prevention mechanism based on OWASP CSRFGuard.

    Therefore, IS 5.2.0 documentation should not necessarily mention about CSRF prevention, because it has CSRF protection enabled by default. Please refer to ticket "DOCUMENTATION-4043" from issue tracker created to get this corrected throughout latest product documents.

    In conclusion, OWASP CSRFGuard is sufficient for WSO2 Identity Server 5.2.0 and you no longer need to enable filter or valve.

    CRLF prevention is by default available from the Tomcat level. Therefore, this configuration was removed from product configuration. Even though it was removed from Carbon Kernel documentations, it seems relevant pages are still available in some product documentations. Please refer to ticket "DOCUMENTATION-4044" from issue tracker created to get this corrected throughout latest product documents.