STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must not be vulnerable to XML-oriented attacks.

DISA Rule

SV-222608r508029_rule

Vulnerability Number

V-222608

Group Title

SRG-APP-000251

Rule Version

APSC-DV-002550

Severity

CAT I

CCI(s)

• CCI-001310 - The information system checks the validity of organization-defined inputs.

Weight

10

Fix Recommendation

Design the application to utilize components that are not vulnerable to XML attacks.

Patch the application components when vulnerabilities are discovered.

Check Contents

Review the application documentation, the application architecture and interview the application administrator.

Identify any XML-based web services or XML functionality performed by the application.

Determine if an XML firewall is deployed to protect application from XML-related attacks.

If the application does not process XML, the requirement is not applicable.

Review the latest application vulnerability assessment and verify the scan was configured to test for XML-related vulnerabilities and security issues.

Examples include but are not limited to:

XML Injection
XML related Denial of Service
XPATH injection
XML Signature attacks
XML Spoofing

If an XML firewall is deployed, request configuration information regarding the application and validate the firewall is configured to protect the application.

If the vulnerability scan is not configured to scan for XML-oriented vulnerabilities, if no scan results exist, or if the XML firewall is not configured to protect the application, this is a finding.

Vulnerability Number

V-222608

Documentable

False

Rule Version

APSC-DV-002550

Severity Override Guidance

Review the application documentation, the application architecture and interview the application administrator.

Identify any XML-based web services or XML functionality performed by the application.

Determine if an XML firewall is deployed to protect application from XML-related attacks.

If the application does not process XML, the requirement is not applicable.

Review the latest application vulnerability assessment and verify the scan was configured to test for XML-related vulnerabilities and security issues.

Examples include but are not limited to:

XML Injection
XML related Denial of Service
XPATH injection
XML Signature attacks
XML Spoofing

If an XML firewall is deployed, request configuration information regarding the application and validate the firewall is configured to protect the application.

If the vulnerability scan is not configured to scan for XML-oriented vulnerabilities, if no scan results exist, or if the XML firewall is not configured to protect the application, this is a finding.

Check Content Reference

M

Target Key

4093

Comments