Title

The API must audit request and response details (such as method, URL, headers, body, status, etc.). (Cat II impact)

Discussion

By logging request and response data, the API can track the flow of information between clients and the system, providing a detailed audit trail that helps detect and analyze potential security incidents, such as unauthorized access attempts, data manipulation, or injection attacks.

Check Content

Verify the API audits request and response details. 1. Inspect the API's logs to verify they capture details of incoming requests and outgoing responses, including headers, body content, and status codes. 2. Simulate various requests and verify that both request and response details are being logged correctly, including any data passed and the response outcome. 3. Verify the API is configured to log the necessary request and response details, such as the type of request, request parameters, and response status. 4. Review the API's documentation to ensure proper auditing of request and response details is enabled. If the API is not auditing request and response detail, this is a finding.

Fix Text

Build or configure the API to log the necessary request and response details such as method, URL, headers, body, status, etc.

Additional Identifiers

Rule ID: SV-274534r1143565_rule

Vulnerability ID: V-274534

Group Title: SRG-APP-000095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.