STIGhub
STIGs
RMF Controls
Compare
← SI-10 — Information Input Validation
CCI-001310
Definition
Checks the validity of organization-defined information inputs to the system.
Parent Control
SI-10
Information Input Validation
System and Information Integrity
Linked STIG Checks (126)
V-237057
CAT II
The A10 Networks ADC, when used for load-balancing web servers, must not allow the HTTP TRACE and OPTIONS methods.
A10 Networks ADC ALG Security Technical Implementation Guide
V-76451
CAT II
Kona Site Defender must check the validity of all data inputs except those specifically identified by the organization.
Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide
V-205027
CAT II
The ALG must check the validity of all data inputs except those specifically identified by the organization.
Application Layer Gateway Security Requirements Guide
V-274613
CAT II
The API must specify allowed origins when using Cross-Origin Resource Sharing (CORS).
Application Programming Interface (API) Security Requirements Guide
V-222602
CAT I
The application must protect from Cross-Site Scripting (XSS) vulnerabilities.
Application Security and Development Security Technical Implementation Guide
V-222603
CAT II
The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities.
Application Security and Development Security Technical Implementation Guide
V-222604
CAT I
The application must protect from command injection.
Application Security and Development Security Technical Implementation Guide
V-222605
CAT II
The application must protect from canonical representation vulnerabilities.
Application Security and Development Security Technical Implementation Guide
V-222606
CAT II
The application must validate all input.
Application Security and Development Security Technical Implementation Guide
V-222607
CAT I
The application must not be vulnerable to SQL Injection.
Application Security and Development Security Technical Implementation Guide
V-222608
CAT I
The application must not be vulnerable to XML-oriented attacks.
Application Security and Development Security Technical Implementation Guide
V-204772
CAT II
The application server must check the validity of all data inputs to the management interface, except those specifically identified by the organization.
Application Server Security Requirements Guide
V-272417
CAT I
A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and must perform integrity verification and data origin verification for all DNS information.
BIND 9.x Security Technical Implementation Guide
V-237410
CAT II
The CA API Gateway must check the validity of all data inputs except those specifically identified by the organization.
CA API Gateway ALG Security Technical Implementation Guide
V-251619
CAT II
IDMS must check the validity of all data input unless the organization says otherwise.
CA IDMS Security Technical Implementation Guide
V-251620
CAT II
CA IDMS must permit the use of dynamic code execution only in circumstances determined by the organization and limit use of online and batch command facilities from which dynamic statements can be issued.
CA IDMS Security Technical Implementation Guide
V-251621
CAT II
CA IDMS must limit the use of dynamic statements in applications, procedures, and exits to circumstances determined by the organization.
CA IDMS Security Technical Implementation Guide
V-251622
CAT II
CA IDMS must limit use of IDMS server used in issuing dynamic statements from client applications circumstances determined by the organization.
CA IDMS Security Technical Implementation Guide
V-251623
CAT II
CA IDMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
CA IDMS Security Technical Implementation Guide
V-233526
CAT II
PostgreSQL must check the validity of all data inputs except those specifically identified by the organization.
Crunchy Data PostgreSQL Security Technical Implementation Guide
V-233527
CAT II
PostgreSQL and associated applications must reserve the use of dynamic code execution for situations that require it.
Crunchy Data PostgreSQL Security Technical Implementation Guide
V-233528
CAT II
PostgreSQL and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Crunchy Data PostgreSQL Security Technical Implementation Guide
V-261905
CAT II
PostgreSQL must check the validity of all data inputs except those specifically identified by the organization.
Crunchy Data Postgres 16 Security Technical Implementation Guide
V-261906
CAT II
PostgreSQL and associated applications must reserve the use of dynamic code execution for situations that require it.
Crunchy Data Postgres 16 Security Technical Implementation Guide
V-261907
CAT II
PostgreSQL and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Crunchy Data Postgres 16 Security Technical Implementation Guide
V-206575
CAT II
The DBMS must check the validity of all data inputs except those specifically identified by the organization.
Database Security Requirements Guide
V-206576
CAT II
The DBMS and associated applications must reserve the use of dynamic code execution for situations that require it.
Database Security Requirements Guide
V-206577
CAT II
The DBMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Database Security Requirements Guide
V-205191
CAT II
The DNS server implementation must check the validity of all data inputs except those specifically identified by the organization.
Domain Name System (DNS) Security Requirements Guide
V-224182
CAT II
The EDB Postgres Advanced Server must check the validity of all data inputs except those specifically identified by the organization.
EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide
V-224183
CAT II
The EDB Postgres Advanced Server and associated applications must reserve the use of dynamic code execution for situations that require it.
EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide
V-224184
CAT II
The EDB Postgres Advanced Server and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide
V-213608
CAT II
The EDB Postgres Advanced Server must check the validity of all data inputs except those specifically identified by the organization.
EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide
V-213609
CAT II
The EDB Postgres Advanced Server and associated applications must reserve the use of dynamic code execution for situations that require it.
EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide
V-213610
CAT II
The EDB Postgres Advanced Server and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide
V-259263
CAT II
The EDB Postgres Advanced Server must check the validity of all data inputs except those specifically identified by the organization.
EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide
V-259264
CAT II
The EDB Postgres Advanced Server and associated applications must reserve the use of dynamic code execution for situations that require it.
EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide
V-259265
CAT II
The EDB Postgres Advanced Server and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide
V-214516
CAT II
The BIG-IP ASM module must check the validity of all data inputs except those specifically identified by the organization.
F5 BIG-IP Application Security Manager Security Technical Implementation Guide
V-215797
CAT II
The BIG-IP Core implementation must be configured to check the validity of all data inputs except those specifically identified by the organization.
F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide
V-266158
CAT II
The F5 BIG-IP appliance must check the validity of all data inputs except those specifically identified by the organization.
F5 BIG-IP TMOS ALG Security Technical Implementation Guide
V-213710
CAT II
DB2 must check the validity of all data inputs except those specifically identified by the organization.
IBM DB2 V10.5 LUW Security Technical Implementation Guide
V-213711
CAT II
DB2 and associated applications must reserve the use of dynamic code execution for situations that require it.
IBM DB2 V10.5 LUW Security Technical Implementation Guide
V-213712
CAT II
DB2 and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
IBM DB2 V10.5 LUW Security Technical Implementation Guide
V-65307
CAT II
The DataPower Gateway must check the validity of all data inputs except those specifically identified by the organization.
IBM DataPower ALG Security Technical Implementation Guide
V-55351
CAT II
The IDPS must, for fragmented packets, either block the packets or properly reassemble the packets before inspecting and forwarding.
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide
V-206921
CAT II
The IDPS must, for fragmented packets, either block the packets or properly reassemble the packets before inspecting and forwarding.
Intrusion Detection and Prevention Systems Security Requirements Guide
V-241790
CAT II
When the Jamf Pro EMM server cannot establish a connection to determine the validity of a certificate, the server must not have the option to accept the certificate.
Jamf Pro v10.x EMM Security Technical Implementation Guide
V-213776
CAT II
SQL Server must check the validity of all data inputs except those specifically identified by the organization.
MS SQL Server 2014 Database Security Technical Implementation Guide
V-213782
CAT II
The DBMS and associated applications must reserve the use of dynamic code execution for situations that require it.
MS SQL Server 2014 Database Security Technical Implementation Guide
V-213783
CAT II
The DBMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
MS SQL Server 2014 Database Security Technical Implementation Guide
V-213916
CAT II
SQL Server must check the validity of all data inputs except those specifically identified by the organization.
MS SQL Server 2016 Database Security Technical Implementation Guide
V-205523
CAT II
The Mainframe Product must check the validity of all data inputs except those specifically identified by the organization.
Mainframe Product Security Requirements Guide
V-253714
CAT II
MariaDB must check the validity of all data inputs except those specifically identified by the organization.
MariaDB Enterprise 10.x Security Technical Implementation Guide
V-253715
CAT II
MariaDB and associated applications must reserve the use of dynamic code execution for situations that require it.
MariaDB Enterprise 10.x Security Technical Implementation Guide
V-253716
CAT II
MariaDB and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
MariaDB Enterprise 10.x Security Technical Implementation Guide
V-255310
CAT II
Azure SQL Database must check the validity of all data inputs except those specifically identified by the organization.
Microsoft Azure SQL Database Security Technical Implementation Guide
V-255311
CAT II
The Azure SQL Database and associated applications must reserve the use of dynamic code execution for situations that require it.
Microsoft Azure SQL Database Security Technical Implementation Guide
V-255312
CAT II
The Azure SQL Database and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Microsoft Azure SQL Database Security Technical Implementation Guide
V-276230
CAT II
Azure SQL Managed Instance and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Microsoft Azure SQL Managed Instance Security Technical Implementation Guide
V-276291
CAT II
Azure SQL Managed Instance must check the validity of all data inputs except those specifically identified by the organization.
Microsoft Azure SQL Managed Instance Security Technical Implementation Guide
V-218808
CAT II
Directory Browsing on the IIS 10.0 web server must be disabled.
Microsoft IIS 10.0 Server Security Technical Implementation Guide
V-218759
CAT II
Directory Browsing on the IIS 10.0 website must be disabled.
Microsoft IIS 10.0 Site Security Technical Implementation Guide
V-271176
CAT II
SQL Server must check the validity of all data inputs except those specifically identified by the organization.
Microsoft SQL Server 2022 Database Security Technical Implementation Guide
V-271331
CAT II
SQL Server and associated applications must reserve the use of dynamic code execution for situations that require it.
Microsoft SQL Server 2022 Instance Security Technical Implementation Guide
V-271332
CAT II
SQL Server and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Microsoft SQL Server 2022 Instance Security Technical Implementation Guide
V-215638
CAT II
The Windows 2012 DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, to include IP ranges and IP versions.
Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide
V-259401
CAT II
The Windows DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, including IP ranges and IP versions.
Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide
V-221181
CAT II
MongoDB must check the validity of all data inputs except those specifically identified by the organization.
MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide
V-221182
CAT II
MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it.
MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide
V-252143
CAT II
MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it.
MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide
V-252167
CAT II
MongoDB must check the validity of all data inputs except those specifically identified by the organization.
MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide
V-265929
CAT II
MongoDB must check the validity of all data inputs except those specifically identified by the organization.
MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide
V-265930
CAT II
MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it.
MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide
V-279365
CAT II
MongoDB must check the validity of all data inputs except those specifically identified by the organization.
MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide
V-279366
CAT II
MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it.
MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide
V-219784
CAT II
The DBMS must check the validity of data inputs.
Oracle Database 11.2g Security Technical Implementation Guide
V-220300
CAT II
The DBMS must check the validity of data inputs.
Oracle Database 12c Security Technical Implementation Guide
V-270580
CAT II
Oracle Database must check the validity of data inputs.
Oracle Database 19c Security Technical Implementation Guide
V-270581
CAT II
The database management system (DBMS) and associated applications must reserve the use of dynamic code execution for situations that require it.
Oracle Database 19c Security Technical Implementation Guide
V-270582
CAT II
The database management system (DBMS) and associated applications, when making use of dynamic code execution, must take steps against invalid values that may be used in a SQL injection attack, therefore resulting in steps to prevent a SQL injection attack.
Oracle Database 19c Security Technical Implementation Guide
V-235156
CAT II
The MySQL Database Server 8.0 must check the validity of all data inputs except those specifically identified by the organization.
Oracle MySQL 8.0 Security Technical Implementation Guide
V-235157
CAT II
The MySQL Database Server 8.0 and associated applications must reserve the use of dynamic code execution for situations that require it.
Oracle MySQL 8.0 Security Technical Implementation Guide
V-235158
CAT II
The MySQL Database Server 8.0 and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Oracle MySQL 8.0 Security Technical Implementation Guide
V-214063
CAT II
PostgreSQL must check the validity of all data inputs except those specifically identified by the organization.
PostgreSQL 9.x Security Technical Implementation Guide
V-214064
CAT II
PostgreSQL and associated applications must reserve the use of dynamic code execution for situations that require it.
PostgreSQL 9.x Security Technical Implementation Guide
V-214065
CAT II
PostgreSQL and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
PostgreSQL 9.x Security Technical Implementation Guide
V-251250
CAT II
Redis Enterprise DBMS and associated applications must reserve the use of dynamic code execution for situations that require it.
Redis Enterprise 6.x Security Technical Implementation Guide
V-251251
CAT II
Redis Enterprise DBMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
Redis Enterprise 6.x Security Technical Implementation Guide
V-234421
CAT II
The UEM server must check the validity of all data inputs.
Unified Endpoint Management Server Security Requirements Guide
V-240824
CAT II
tc Server HORIZON must set URIEncoding to UTF-8.
VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide
V-240825
CAT II
tc Server VCO must set URIEncoding to UTF-8.
VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide
V-240826
CAT II
tc Server HORIZON must use the setCharacterEncodingFilter filter.
VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide
V-240827
CAT II
tc Server VCO must use the setCharacterEncodingFilter filter.
VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide
V-240828
CAT II
tc Server VCAC must set URIEncoding to UTF-8.
VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide
V-240829
CAT II
tc Server VCAC must use the setCharacterEncodingFilter filter.
VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide
V-241679
CAT II
tc Server UI must set URIEncoding to UTF-8.
VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide
V-241680
CAT II
tc Server CaSa must set URIEncoding to UTF-8.
VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide
V-241681
CAT II
tc Server API must set URIEncoding to UTF-8.
VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide
V-241682
CAT II
tc Server UI must use the setCharacterEncodingFilter filter.
VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide
V-241683
CAT II
tc Server CaSa must use the setCharacterEncodingFilter filter.
VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide
V-241684
CAT II
tc Server API must use the setCharacterEncodingFilter filter.
VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide
V-256663
CAT II
VAMI must set the encoding for all text Multipurpose Internet Mail Extensions (MIME) types to UTF-8.
VMware vSphere 7.0 VAMI Security Technical Implementation Guide
V-256692
CAT II
ESX Agent Manager must set URIEncoding to UTF-8.
VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide
V-256693
CAT II
ESX Agent Manager must use the "setCharacterEncodingFilter" filter.
VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide
V-256725
CAT II
Lookup Service must set URIEncoding to UTF-8.
VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide
V-256630
CAT II
Performance Charts must set "URIEncoding" to UTF-8.
VMware vSphere 7.0 vCenter Appliance Perfcharts Security Technical Implementation Guide
V-256631
CAT II
Performance Charts must use the "setCharacterEncodingFilter" filter.
VMware vSphere 7.0 vCenter Appliance Perfcharts Security Technical Implementation Guide
V-256764
CAT II
The Security Token Service must set "URIEncoding" to UTF-8.
VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide
V-256765
CAT II
The Security Token Service must use the "setCharacterEncodingFilter" filter.
VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide
V-256798
CAT II
vSphere UI must set URIEncoding to UTF-8.
VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide
V-259013
CAT II
The vCenter ESX Agent Manager service must set URIEncoding to UTF-8.
VMware vSphere 8.0 vCenter Appliance ESX Agent Manager (EAM) Security Technical Implementation Guide
V-259020
CAT II
The vCenter ESX Agent Manager service must configure the "setCharacterEncodingFilter" filter.
VMware vSphere 8.0 vCenter Appliance ESX Agent Manager (EAM) Security Technical Implementation Guide
V-259047
CAT II
The vCenter Lookup service must set URIEncoding to UTF-8.
VMware vSphere 8.0 vCenter Appliance Lookup Service Security Technical Implementation Guide
V-259054
CAT II
The vCenter Lookup service must configure the "setCharacterEncodingFilter" filter.
VMware vSphere 8.0 vCenter Appliance Lookup Service Security Technical Implementation Guide
V-259150
CAT II
The vCenter VAMI service must set the encoding for all text mime types to UTF-8.
VMware vSphere 8.0 vCenter Appliance Management Interface (VAMI) Security Technical Implementation Guide
V-259081
CAT II
The vCenter Perfcharts service must set URIEncoding to UTF-8.
VMware vSphere 8.0 vCenter Appliance Perfcharts Security Technical Implementation Guide
V-259088
CAT II
The vCenter Perfcharts service must configure the "setCharacterEncodingFilter" filter.
VMware vSphere 8.0 vCenter Appliance Perfcharts Security Technical Implementation Guide
V-258981
CAT II
The vCenter STS service must set URIEncoding to UTF-8.
VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide
V-258987
CAT II
The vCenter STS service must configure the "setCharacterEncodingFilter" filter.
VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide
V-259114
CAT II
The vCenter UI service must set URIEncoding to UTF-8.
VMware vSphere 8.0 vCenter Appliance User Interface (UI) Security Technical Implementation Guide
V-259121
CAT II
The vCenter UI service must configure the "setCharacterEncodingFilter" filter.
VMware vSphere 8.0 vCenter Appliance User Interface (UI) Security Technical Implementation Guide
V-207409
CAT II
The VMM must check the validity of all data inputs except those specifically identified by the organization.
Virtual Machine Manager Security Requirements Guide
V-206410
CAT II
The web server must limit the character set used for data entry.
Web Server Security Requirements Guide
V-264364
CAT II
The web server must interpret and normalize ambiguous HTTP requests or terminate the TCP connection.
Web Server Security Requirements Guide
V-264365
CAT II
The web server must terminate the connection if server-level exceptions are triggered when handling requests to prevent HTTP request smuggling attacks.
Web Server Security Requirements Guide