The API must revoke assertions in accordance with organization-defined identification and authentication policy.

STIG ID: SRG-APP-000990-API-001680  |  SRG: SRG-APP-000990 |  Severity: medium |  CCI: CCI-005161,CCI-000366 |  Vulnerability Id: V-274844

Vulnerability Discussion

An API must revoke assertions to immediately terminate access when a user's credentials are compromised, their permissions change, or their session is no longer valid. Assertions like JWTs or SAML tokens grant access to protected resources, and if not actively revoked, can be exploited even after a user's access is removed. By supporting assertion revocation, such as maintaining a token blacklist or using short-lived tokens with active invalidation, the API enhances security by ensuring outdated or potentially dangerous assertions cannot be reused. This is critical in scenarios involving logout, credential theft, or administrative role changes, where continued access could lead to unauthorized data exposure or system compromise.

Check

Verify that the API has an implemented and functional revocation mechanism. This could involve endpoints or methods that allow for the invalidation of assertions, such as a revocation list or a central system for tracking revoked assertions.

Simulate the revocation of assertions by either manually revoking access or simulating scenarios that trigger revocation (e.g., a user's session being terminated, access being revoked due to a policy violation). Ensure the API properly invalidates the assertions and prevents further access with the revoked assertions.

Review Logging and Auditing of Revocation Events:
Confirm that the API logs revocation events, capturing key details such as who initiated the revocation, when it occurred, and why it was revoked.

After revocation, test that any attempt to use the revoked assertion is properly rejected by the API. The API should deny access if the assertion has been invalidated, ensuring no further use is possible.

Refer to the API's documentation to confirm that revocation processes are correctly implemented in line with the organization's defined policies for identity management and authentication.

If the API does not revoke assertions in accordance with organization-defined identification and authentication policy, this is a finding.

Fix

Build or configure the API to revoke assertions in accordance with organization-defined identification and authentication policy.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.