UCF STIG Viewer Logo

The designer will ensure web services provide a mechanism for detecting resubmitted SOAP messages.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19695 APP3820 SV-21836r1_rule DCSQ-1 High
Description
SOAP messages should be designed so duplicate messages are detected. Replay attacks may lead to a loss of confidentiality and potentially a loss of availability Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-24092r1_chk )
Ask the application representative for the design document. Review the design document for all web services. Review the design and verify all web services are able to detect resubmitted SOAP message requests.

Look for the use of WS_Reliability or WS_ReliableMessaging standards. WS_Reliability or WS_ReliableMessaging syntax includes the use of "At-Most" semantics which guarantees that a duplicate message will not be delivered or "Exactly-Once" which guarantees a message will be delivered without duplication.

If the application developer uses other reliable messaging standards to detect re-submitted messages, the developer should provide information as to how those standards meet this requirement.

1) If the design document does not indicate all web services are able to detect resubmitted SOAP message requests, this is a finding.
Fix Text (F-23097r1_fix)
Design web services with the functionality to detect resubmitted SOAP messages.