Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The designer will ensure the asserting party uses FIPS approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-22030 | APP3940 | SV-25356r1_rule | DCSQ-1 | Medium |
| Description |
|---|
| A predictable SessionIndex could lead to an attacker computing a future SessionIndex, thereby, possibly compromising the application. |
| STIG | Date |
|---|---|
| Application Security and Development STIG | 2014-04-03 |
Details
| Check Text ( C-27028r1_chk ) |
|---|
| Ask the application representative for the Design Document. Verify in the Design Document asserting parties for SAML assertions use FIPS approved random numbers in the generation of SessionIndex in the Element AuthnStatement. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. 1) If FIPS approved random numbers are not used in the generation of SessionIndex (in the Element AuthnStatement), it is a finding. |
| Fix Text (F-23094r1_fix) |
|---|
| Use FIPS approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement. |