An XML firewall function must be deployed to protect web services when exposed to untrusted networks.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-70243 | APSC-DV-002420 | SV-84865r1_rule | Medium |
| Description |
|---|
| Web Services are vulnerable to many types of attacks such as XML injection or XML External Entity (XXE) attacks. The risks increase when these applications are exposed to untrusted networks. XML-based firewall functionality can be used to prevent common attacks and aid in protecting and limiting the risks of exposing web services to untrusted networks. The XML firewall functionality may be stand-alone or embedded in various multi-purpose products including but not limited to a SOA or Web Application gateways. |
| STIG | Date |
|---|---|
| Application Security and Development Security Technical Implementation Guide | 2018-04-03 |
Details
| Check Text ( C-70719r1_chk ) |
|---|
| Review the system documentation and interview the application and system administrators. Verify XML-based web services are used within the application. If no XML-based web services are used in the application, this requirement is not applicable. If the web service is not exposed to an untrusted network or boundary, this requirement is not applicable. If XML-based web services are used within the application, ask the application representative for a network diagram identifying the XML firewall function placement. Review the network diagrams and determine if any web services are exposed to untrusted networks like the Internet. Verify an XML firewall function exists and firewall rules are implemented to protect the web services. If network diagrams do not exist or all web services exposed to untrusted networks are not protected by the XML firewall functionality, this is a finding. |
| Fix Text (F-76479r1_fix) |
|---|
| Deploy an XML firewall functionality to protect web services. |