From Application Security and Development Security Technical Implementation Guide
Part of APSC-DV-002420
Associated with: CCI-001125
Web Services are vulnerable to many types of attacks such as XML injection or XML External Entity (XXE) attacks. The risks increase when these applications are exposed to untrusted networks.
Review the system documentation and interview the application and system administrators. Verify XML-based web services are used within the application. If no XML-based web services are used in the application, this requirement is not applicable. If the web service is not exposed to an untrusted network or boundary, this requirement is not applicable. If XML-based web services are used within the application, ask the application representative for a network diagram identifying the XML firewall function placement. Review the network diagrams and determine if any web services are exposed to untrusted networks like the Internet. Verify an XML firewall function exists and firewall rules are implemented to protect the web services. If network diagrams do not exist or all web services exposed to untrusted networks are not protected by the XML firewall functionality, this is a finding.
Deploy an XML firewall functionality to protect web services.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer