Check: WEBPL130
Web Policy STIG:
WEBPL130
(in version v1 r1)
Title
Production web server scripts are tested before implementation. (Cat II impact)
Discussion
Interactive server-side scripts, sometimes referred to as CGI, are a powerful means for enhancing web site functionality. Scripts are often executable at the application layer and can interact with the operating system, frequently exercising control over fundamental system resources (i.e., start and stop programs, write data to the server, alter and delete data, etc.). A variety of scripting languages and middleware is available for this purpose. Typically, this middleware involves the use of an interpreter. The opportunity for a malicious user to exploit poorly-designed or untested web scripts is significant and has proven to be a leading cause of server compromises. This would apply to any operating system and any web server software in use. SSI, ASP, JSP, JAVA, PHP, JS, PERL scripts, and enabled SWFs are commonly found in these circumstances. It is important that all programs have been reviewed, tested, and approved with regard to security prior to being promoted to the production web server. The IAO, the SA, and/or the web master should be in possession of copies of assurance from either an application development team utilizing the guidance of the Application Security and Development STIG or an assurance from a trusted third-party vendor that security evaluations have been performed with regard to scripts being used on a production web server.
Check Content
All scripts and programs executing on a production web server must be tested and evaluated for security issues prior to being installed on the production server. A distinction is made between DoD web servers hosting web sites that are wholly under their control, such as a command that has written and developed a web application and then hosts that web application, and a web server hosting web sites where development is performed remotely and hosting is governed by a memorandum of understanding (MOU) and the service level agreement (SLA). It is not the responsibility of the SA or the web administrator to perform tests or security evaluations on scripts implemented on the production web server. It is the responsibility of the agency or vendors that developed the application to perform all testing and security evaluations. If the web server is owned by the activity that developed the web application, the activity is responsible for all testing and security evaluations. The activity will retain all proofs and documentation supporting this requirement. These proofs will be provided upon request to any individual authorized to review the web server. If the web server hosts web sites where the applications have been remotely authored and the hosting is governed by an MOU and/or the SLA, those remote organizations or vendors are responsible for all testing and security evaluations. In this case, such proofs supporting this requirement will be made available to the hosting activity for the purpose of this compliance check. These proofs will be provided upon request to any individual authorized to review the web server. The reviewer will ask to see all supporting proofs that are necessary to support this requirement. The reviewer may work with the IAO, the IAM, the SA, or the web administrator to determine a feasible sampling of programs and scripts in order to verify compliance with this requirement. If actual testing information is available indicating the method of testing, the individuals responsible for testing, and the individuals approving the test outcomes, the reviewer will note their existence as a part of the supporting proofs. The actual testing of scripts and programs is outside of the scope of this guidance and is governed by the Application Security and Development STIG.
Fix Text
Ensure proof of testing and security assurance is available. Ensure that CGI documentation is available.
Additional Identifiers
Rule ID: SV-28765r1_rule
Vulnerability ID: V-23829
Group Title: Production web server scripts are tested.
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |