STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 4 Release: 9 Benchmark Date: 25 Jan 2019: The application must not expose session IDs.

DISA Rule

SV-84827r1_rule

Vulnerability Number

V-70205

Group Title

SRG-APP-000219

Rule Version

APSC-DV-002230

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure the application to protect session IDs from interception or from manipulation.

Check Contents

Review the application documentation and configuration.

Interview the application administrator and obtain implementation documentation identifying system architecture.

Identify the application communication paths. This includes system to system communication and client to server communication that transmit session identifiers over the network.

Have the application administrator identify the methods and mechanisms used to protect the application session ID traffic. Acceptable methods include SSL/TLS both one-way and two-way and VPN tunnel.

The protections must be implemented on a point-to-point basis based upon the architecture of the application.

For example; a web application hosting static data will provide SSL/TLS encryption from web client to the web server. More complex designs may encrypt from application server to application server (if applicable) and application server to database as well.

If the session IDs are unencrypted across network segments, this is a finding.

Vulnerability Number

V-70205

Documentable

False

Rule Version

APSC-DV-002230

Severity Override Guidance

Review the application documentation and configuration.

Interview the application administrator and obtain implementation documentation identifying system architecture.

Identify the application communication paths. This includes system to system communication and client to server communication that transmit session identifiers over the network.

Have the application administrator identify the methods and mechanisms used to protect the application session ID traffic. Acceptable methods include SSL/TLS both one-way and two-way and VPN tunnel.

The protections must be implemented on a point-to-point basis based upon the architecture of the application.

For example; a web application hosting static data will provide SSL/TLS encryption from web client to the web server. More complex designs may encrypt from application server to application server (if applicable) and application server to database as well.

If the session IDs are unencrypted across network segments, this is a finding.

Check Content Reference

M

Target Key

3009

Comments