CRLF Injection and a bad premise

A friend of ours, Phil, sent Duane and I a link to an article about web attacks (Phil does this alot).  He commented that he hadn’t heard of CRLF Injection before and while I had heard of it, I realized that I wasn’t comfortable explaining it on the spot with examples so I read the link.

While I think the writeup is good and felt refreshed of information on the topic (as esoteric as it is given how often we still find SQL Injection), I was struck by one badly worded comment in the text.  Namely the section that says, “The best way to defend against CRLF attacks it to filter extensively any input that a user can give. One should “remove everything but the known good data” and filter meta characters from the user input. This will ensure that only what should be entered in the field will be submitted to the server”.  The premise is well intended, but did you see the flaw?  Why would you remove anything from a submission that has anything bad in it?  OK, maybe there are innocent times when a user will insert something that doesn’t belong. However if you are doing the filter thing and you find something bad, overtly bad then you shouldn’t remove it, you should end the user’s session and redirect them to an error page (or some other circle of hell).

If a criminal came to your house and tried to open a window only to find it locked would you then allow them to keep trying?  If you can determine that the input was actually harmful (the opposite of good data) then you should think hard about maybe dumping the user and not going any further in their processing.

If you make your applications work more like the way the real world works then they are more likely to survive in the real world.

</rant> ;)