The mobile application must prevent XML injection.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35656 | SRG-APP-000251-MAPP-00051 | SV-46943r1_rule | Medium |
| Description |
|---|
| XML injection may result in an immediate loss of integrity of the data. Any vulnerability associated with a DoD Information system, the exploitation of which, by a risk factor, will directly and immediately result in loss of confidentiality, availability, or integrity of the system associated data. If a mobile application does not permit XML injection, then the risk of exploits from this form of attack is greatly reduced. Please refer to CWE 91 for further information. Additional information on CWEs is found in the MAPP SRG Overview. |
| STIG | Date |
|---|---|
| Mobile Application Security Requirements Guide | 2013-01-04 |
Details
| Check Text ( C-43998r1_chk ) |
|---|
| If the application does not interpret XML, this requirement is not applicable. Perform a static program analysis to assess if code is present that will prevent XML injection attacks. Search for code that uses XML Schema Definition (XSD) Restrictions and XML Schema Regular Expressions which server to minimize XML injection attacks. If the static program analysis reveals there is no code that protects the application from XML injection attacks, this is a finding. Examples of XML injection vulnerabilities can be obtained from the OWASP at https://www.owasp.org |
| Fix Text (F-40198r1_fix) |
|---|
| Modify code to correct XML injection flaws. |