325 – Protect WSDL files

Summary

WSDL files containing sensitive information must not be publicly accessible.

Description

Some web services architectures require exposing a WSDL file. If this file contains sensitive information, such as deprecated methods or administrative services, it should not be available to a wider audience than it requires. If it must be available on a very public network, like the internet, then it should not contain any sensitive information.

Supported In

Advanced: True

References

• CAPEC-116. Excavation
• CAPEC-224. Fingerprinting
• CWE-651. Exposure of WSDL file containing sensitive information
• OWASP10-A4. Insecure design
• CERTJ-MET02-J. Do not use deprecated or obsolete classes or methods
• CMMC-AC_L1-3_1_22. Control public information
• HITRUST-09_x. Electronic commerce services
• FEDRAMP-AC-22. Publicly accessible content
• NISTSSDF-PS_3_1. Archive and protect each software release

Weaknesses

• 040 – Exposed web services

Last updated

2023/09/18