Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-22030 | APP3940 | SV-25356r1_rule | DCSQ-1 | Medium |
Description |
---|
A predictable SessionIndex could lead to an attacker computing a future SessionIndex, thereby, possibly compromising the application. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-27028r1_chk ) |
---|
Ask the application representative for the Design Document. Verify in the Design Document asserting parties for SAML assertions use FIPS approved random numbers in the generation of SessionIndex in the Element AuthnStatement. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. 1) If FIPS approved random numbers are not used in the generation of SessionIndex (in the Element AuthnStatement), it is a finding. |
Fix Text (F-23094r1_fix) |
---|
Use FIPS approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement. |