Free DISA STIG and SRG Library | Vaulted


The application must not be vulnerable to XML-oriented attacks.

Finding ID
Rule ID
Cat I
Group Title
Target Key

Extensible Markup Language (XML) is widely employed in web technology and applications like web services (SOAP, REST, and WSDL) and is also used for configuration files. XML vulnerability examples include XML injection, XML Spoofing, XML-based Denial of Service attacks and information disclosure attacks. When utilizing XML, web applications must take steps to ensure they are addressing XML-related security issues. This is accomplished by choosing well-designed application components, building application code that follows security best practices and by patching application components when vulnerabilities are identified. XML firewalls or gateways may be employed to assist in protecting applications by controlling access to XML-based applications, filtering XML content, rate-limiting requests, and validating XML traffic.

Fix Text

Design the application to utilize components that are not vulnerable to XML attacks. Patch the application components when vulnerabilities are discovered.

Check Content

Review the application documentation, the application architecture and interview the application administrator. Identify any XML-based web services or XML functionality performed by the application. Determine if an XML firewall is deployed to protect application from XML-related attacks. If the application does not process XML, the requirement is not applicable. Review the latest application vulnerability assessment and verify the scan was configured to test for XML-related vulnerabilities and security issues. Examples include but are not limited to: XML Injection XML related Denial of Service XPATH injection XML Signature attacks XML Spoofing If an XML firewall is deployed, request configuration information regarding the application and validate the firewall is configured to protect the application. If the vulnerability scan is not configured to scan for XML-oriented vulnerabilities, if no scan results exist, or if the XML firewall is not configured to protect the application, this is a finding.