Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 tamon tanino (tamont52)
Accenture

Accenture
JP
tamont52 Member since 2016 14 posts
Accenture
Posted: Jun 5, 2018
Last activity: Jun 26, 2018
Posted: 5 Jun 2018 23:56 EDT
Last activity: 26 Jun 2018 6:07 EDT
Closed
Solved

Security risk of CRLF injection

My client is concerned about security measures when in using pega as an internet service.
There is CRLF injection as one security attack, but does Pega take some measures against this security attack?

About CRLF Injection:
https://www.owasp.org/index.php/CRLF_Injection
https://www.netsparker.com/blog/web-security/crlf-http-header/

***Edited by Moderator Marissa to update platform capability***

To see attachments, please log in.
Low-Code App Development
Security
Support Case Created

Accepted Solution

Posted: 6 years ago
Posted: 7 Jun 2018 5:32 EDT
Raghuveer Reddy Bathini (RaghuveerReddyB)
HCL Technologies
Raghuveer Reddy Bathini
HCL Technologies
NL

All the modern application servers are inherently have protection for response splitting attacks. If we insert a header with value that contains CRLF characters the servers automatically replace them with a space character. 

To see attachments, please log in.
Posted: 6 years ago
Posted: 6 Jun 2018 11:57 EDT
Marissa Rogers (MarissaRogers)
MOD
Principal Knowledge Management Specialist
Pegasystems Inc.
US

Hi @tamont52

After discussing your thread with our Support Engineers, they have asked that you submit a Support Request so that they may discuss this with you offline.

Please reference this PSC post in your Support Request and that you were advised to open a SR by our Engineers. Then please come back and comment here with your Support Request ID so that we may track for you.

Thank you!

To see attachments, please log in.
  • Soumyasri Machepalli Sekar Anbu John Sullivan Peter Janssen Srinivas Sarda

Accepted Solution

Posted: 6 years ago
Posted: 7 Jun 2018 5:32 EDT
Raghuveer Reddy Bathini (RaghuveerReddyB)
HCL Technologies
Raghuveer Reddy Bathini
HCL Technologies
NL

All the modern application servers are inherently have protection for response splitting attacks. If we insert a header with value that contains CRLF characters the servers automatically replace them with a space character. 

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice