The designer will ensure the application is not vulnerable to XML Injection.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-21498 | APP3810 | SV-23682r1_rule | DCSQ-1 | High |
| Description |
|---|
| XML injection results in an immediate loss of “integrity” of the data. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2014-12-22 |
Details
| Check Text ( C-25721r1_chk ) |
|---|
| Ask the application representative for code review results from the entire application. This can be provided as results from an automated code review tool. If the results are provided from a manual code review, the application representative will need to demonstrate how XML injection vulnerabilities are identified during code reviews. Using XML Schema Definition (XSD) Restrictions and XML Schema Regular Expressions can minimize XML injection attacks. 1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify XML injection vulnerabilities, it is a finding. Examples of XML Injection vulnerabilities can be obtained from the OWASP website. |
| Fix Text (F-23047r1_fix) |
|---|
| Correct XML Injection flaws. |