STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must not be vulnerable to SQL Injection.

DISA Rule

SV-222607r508029_rule

Vulnerability Number

V-222607

Group Title

SRG-APP-000251

Rule Version

APSC-DV-002540

Severity

CAT I

CCI(s)

CCI-001310 - The information system checks the validity of organization-defined inputs.

Weight

Fix Recommendation

Modify the application and remove SQL injection vulnerabilities.

Check Contents

Review the application documentation and interview the application administrator.

Request the latest vulnerability scan test results.

Verify the scan configuration is configured to test for SQL injection flaws.

Review the scan results to determine if any SQL injection flaws were detected during application testing.

If SQL injection flaws were discovered, request a subsequent scan that will show that the issues have been remediated.

If the scan results are not available, identify the database product in use and refer to the OWASP web application testing guide for detailed instructions on performing a manual SQL injection test. The instructions are located here and many tests are organized by database product:

https://www.owasp.org/index.php/Testing_for_SQL_Injection_%28OTG-INPVAL-005%29

If the application is vulnerable to SQL injection attack, contains SQL injection flaws, or if scan results do not exist, this is a finding.

The application must not be vulnerable to SQL Injection.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments