Messages protected with WS_Security must use time stamps with creation and expiration times.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-222399	SRG-APP-000014	APSC-DV-000190	SV-222399r960759_rule	2025-02-12	6

Description
The lack of time stamps could lead to the eventual replay of the message, leaving the application susceptible to replay events which may result in an immediate loss of confidentiality.

ℹ️ Check
Ask the application representative for the design document. Review the design document for web services using WS-Security tokens. If the application does not utilize WS-Security tokens, this check is not applicable. Examine the contents of a SOAP message using WS Security; all messages should contain time stamps, sequence numbers, and expiration. If messages using WS Security do not contain time stamps, sequence numbers, and expiration, this is a finding.

ℹ️ Check

Ask the application representative for the design document. Review the design document for web services using WS-Security tokens. If the application does not utilize WS-Security tokens, this check is not applicable. Examine the contents of a SOAP message using WS Security; all messages should contain time stamps, sequence numbers, and expiration. If messages using WS Security do not contain time stamps, sequence numbers, and expiration, this is a finding.

✔️ Fix
Design and configure applications using WS-Security messages to use time stamps with creation and expiration times and sequence numbers.