UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure the application is not vulnerable to XML Injection.


Overview

Finding ID Version Rule ID IA Controls Severity
V-21498 APP3810 SV-23682r1_rule DCSQ-1 High
Description
XML injection results in an immediate loss of “integrity” of the data. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-25721r1_chk )
Ask the application representative for code review results from the entire application. This can be provided as results from an automated code review tool.

If the results are provided from a manual code review, the application representative will need to demonstrate how XML injection vulnerabilities are identified during code reviews. Using XML Schema Definition (XSD) Restrictions and XML Schema Regular Expressions can minimize XML injection attacks.

1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify XML injection vulnerabilities, it is a finding.

Examples of XML Injection vulnerabilities can be obtained from the OWASP website.
Fix Text (F-23047r1_fix)
Correct XML Injection flaws.