STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways.

DISA Rule

SV-222593r561254_rule

Vulnerability Number

V-222593

Group Title

SRG-APP-000435

Rule Version

APSC-DV-002390

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Implement:

- Validation against recursive payloads
- Validation against oversized payloads
- Protection against XML entity expansion
- Validation against overlong element names
- Optimized configuration for maximum message throughput in order to ensure DoS attacks against web services are limited.

Check Contents

Review the application architecture documentation and interview the application administrator to identify what steps have been taken to protect the XML aspect of the application from DoS attacks.

If the application does not contain or utilize XML, the requirement is not applicable.

Ask the application administrator to demonstrate how the application is configured to provide the following protections:

- Validation against recursive payloads
- Validation against oversized payloads
- Protection against XML entity expansion
- Validation against overlong element names
- Optimized configuration for maximum message throughput

If the application administrator cannot demonstrate how these protections are implemented either within the application itself or by third-party tools or utilities like an XML gateway, this is a finding.

Vulnerability Number

V-222593

Documentable

False

Rule Version

APSC-DV-002390

Severity Override Guidance

Review the application architecture documentation and interview the application administrator to identify what steps have been taken to protect the XML aspect of the application from DoS attacks.

If the application does not contain or utilize XML, the requirement is not applicable.

Ask the application administrator to demonstrate how the application is configured to provide the following protections:

- Validation against recursive payloads
- Validation against oversized payloads
- Protection against XML entity expansion
- Validation against overlong element names
- Optimized configuration for maximum message throughput

If the application administrator cannot demonstrate how these protections are implemented either within the application itself or by third-party tools or utilities like an XML gateway, this is a finding.

Check Content Reference

M

Target Key

4093

Comments