Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19695 | APP3820 | SV-21836r1_rule | DCSQ-1 | High |
Description |
---|
SOAP messages should be designed so duplicate messages are detected. Replay attacks may lead to a loss of confidentiality and potentially a loss of availability Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-24092r1_chk ) |
---|
Ask the application representative for the design document. Review the design document for all web services. Review the design and verify all web services are able to detect resubmitted SOAP message requests. Look for the use of WS_Reliability or WS_ReliableMessaging standards. WS_Reliability or WS_ReliableMessaging syntax includes the use of "At-Most" semantics which guarantees that a duplicate message will not be delivered or "Exactly-Once" which guarantees a message will be delivered without duplication. If the application developer uses other reliable messaging standards to detect re-submitted messages, the developer should provide information as to how those standards meet this requirement. 1) If the design document does not indicate all web services are able to detect resubmitted SOAP message requests, this is a finding. |
Fix Text (F-23097r1_fix) |
---|
Design web services with the functionality to detect resubmitted SOAP messages. |