STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

Applications must validate session identifiers.

DISA Rule

SV-222580r508029_rule

Vulnerability Number

V-222580

Group Title

SRG-APP-000223

Rule Version

APSC-DV-002260

Severity

CAT II

CCI(s)

• CCI-001664 - The information system recognizes only session identifiers that are system-generated.

Weight

10

Fix Recommendation

Configure the application to configure user session identifiers.

Check Contents

Review the application documentation and interview the application administrator.

Identify how the application validates session IDs.

If using a web development framework, ask the application administrator to provide details on the framework's session configuration as it relates to session validation.

If the application is not configured to validate user session identifiers, this is a finding.

Vulnerability Number

V-222580

Documentable

False

Rule Version

APSC-DV-002260

Severity Override Guidance

Review the application documentation and interview the application administrator.

Identify how the application validates session IDs.

If using a web development framework, ask the application administrator to provide details on the framework's session configuration as it relates to session validation.

If the application is not configured to validate user session identifiers, this is a finding.

Check Content Reference

M

Target Key

4093

Comments