Check: AS24-W2-000520
Apache Server 2.4 Windows Site STIG:
AS24-W2-000520
(in versions v2 r1 through v1 r0.1)
Title
The Apache web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force. (Cat II impact)
Discussion
Generating a session identifier (ID) that is not easily guessed through brute force is essential to deter several types of session attacks. By knowing the session ID, an attacker can hijack a user session that has already been user authenticated by the hosted application. The attacker does not need to guess user identifiers and passwords or have a secure token since the user session has already been authenticated. By generating session IDs that contain as much of the character set as possible, i.e., A-Z, a-z, and 0-9, the session ID becomes exponentially harder to guess.
Check Content
Review the <'INSTALLED PATH'>\conf\httpd.conf file. Check to see if the "mod_unique_id" is loaded. If it does not exist, this is a finding.
Fix Text
Edit the <'INSTALLED PATH'>\conf\httpd.conf file and load the "mod_unique_id" module. Restart Apache.
Additional Identifiers
Rule ID: SV-214379r397735_rule
Vulnerability ID: V-214379
Group Title: SRG-APP-000224-WSR-000138
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001188 |
The information system generates unique session identifiers for each session with organization-defined randomness requirements. |
Controls
Number | Title |
---|---|
SC-23 (3) |
Unique Session Identifiers With Randomization |