STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must not disclose unnecessary information to users.

DISA Rule

SV-222600r508029_rule

Vulnerability Number

V-222600

Group Title

SRG-APP-000441

Rule Version

APSC-DV-002480

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the application to not display technical details about the application architecture on error events.

Check Contents

Review the application system documentation and interview the application administrators.

Ask them to demonstrate how the web server and application configuration does not disclose any information about the application which could be used by an attacker to gain access to the application.

Ask the application representative to logon as a non-privileged user and review all screens of the application to identify any potential data that should not be disclosed to the user.

Review web server configuration and determine if custom error pages are configured to display on error events.

Review error pages sent to application users to verify the pages are generic in nature and provide no technical details related to application architecture.

If the application displays any application technical data such as database version, application server information, or any other technical details that should not be disclosed to a regular user, this is a finding.

Vulnerability Number

V-222600

Documentable

False

Rule Version

APSC-DV-002480

Severity Override Guidance

Review the application system documentation and interview the application administrators.

Ask them to demonstrate how the web server and application configuration does not disclose any information about the application which could be used by an attacker to gain access to the application.

Ask the application representative to logon as a non-privileged user and review all screens of the application to identify any potential data that should not be disclosed to the user.

Review web server configuration and determine if custom error pages are configured to display on error events.

Review error pages sent to application users to verify the pages are generic in nature and provide no technical details related to application architecture.

If the application displays any application technical data such as database version, application server information, or any other technical details that should not be disclosed to a regular user, this is a finding.

Check Content Reference

M

Target Key

4093

Comments