The API must audit request and response details (such as method, URL, headers, body, status, etc.).

STIG ID: SRG-APP-000095-API-001795  |  SRG: SRG-APP-000095 |  Severity: medium |  CCI: CCI-000130 |  Vulnerability Id: V-274534

Vulnerability Discussion

By logging request and response data, the API can track the flow of information between clients and the system, providing a detailed audit trail that helps detect and analyze potential security incidents, such as unauthorized access attempts, data manipulation, or injection attacks.

Check

Verify the API audits request and response details.

1. Inspect the API's logs to verify they capture details of incoming requests and outgoing responses, including headers, body content, and status codes.

2. Simulate various requests and verify that both request and response details are being logged correctly, including any data passed and the response outcome.

3. Verify the API is configured to log the necessary request and response details, such as the type of request, request parameters, and response status.

4. Review the API's documentation to ensure proper auditing of request and response details is enabled.

If the API is not auditing request and response detail, this is a finding.

Fix

Build or configure the API to log the necessary request and response details such as method, URL, headers, body, status, etc.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.