Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19689 | APP3760 | SV-21830r1_rule | DCSQ-1 | Medium |
Description |
---|
Because of potential denial of service, web services should be designed to recognize potential attack patterns. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-24086r1_chk ) |
---|
Ask the application representative for design documentation, review the design documentation and ensure the application employs methods for XML schema validation and disables use of inline XML Document Type Definition (DTD) schemas in XML parsing objects. Managing DTD parsing behavior is a key to preventing the invocation of XML bombs. DTD parsing is controlled within the .Net application framework in .NET applications. 1) If the design document does not exist or address the specified web service, it is a finding. 2) If the Application does not employ any method of schema validation, it is a finding. 3) If the Application does not disable the use of inline XML Document Type Definition (DTD) schemas it is a finding. |
Fix Text (F-23043r1_fix) |
---|
Design Web services to recognize attacks. |