Skip to main content

Free 30-min security demo  — We'll scan your real code and show live findings, no commitment Book Now

Offensive360
Academy SOAP/XML Security
Advanced · 20 min

SOAP/XML Security

Understand XXE vulnerabilities in SOAP services and how schema validation prevents XML injection attacks.

1 XXE in SOAP and WS-Addressing Injection

SOAP web services process XML messages, introducing XML-specific vulnerabilities.

XXE (XML External Entity) in SOAP:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Body>
    <processOrder>
      <customer>&xxe;</customer>  <!-- File contents inserted here -->
    </processOrder>
  </soapenv:Body>
</soapenv:Envelope>

The XML parser resolves the &xxe; entity by reading /etc/passwd, including its contents in the SOAP request processing. This enables reading arbitrary files from the server.

WS-Addressing header injection:

SOAP uses WS-Addressing headers to route messages. Injecting attacker-controlled values into wsa:ReplyTo or wsa:FaultTo headers can redirect SOAP responses to attacker servers, potentially leaking sensitive response data.

2 Disable External Entities and Validate Schema

The primary defense against XXE is to disable external entity processing in the XML parser. Schema validation provides defense-in-depth.

Disable XXE in Java (most common SOAP platform):

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
// Disable external entities
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
DocumentBuilder builder = dbf.newDocumentBuilder();

Schema validation:

Schema schema = SchemaFactory
  .newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI)
  .newSchema(new File("service.xsd"));
validator = schema.newValidator();
validator.validate(new StreamSource(new StringReader(soapBody)));

Defense checklist:

  • Disable all external entity processing features
  • Disable DOCTYPE declarations entirely when possible
  • Validate against a strict XSD schema before processing
  • Validate WS-Addressing headers against allowlists
  • Use a SOAP framework that handles security by default

Knowledge Check

0/3 correct
Q1

What does an XXE attack in a SOAP endpoint allow an attacker to do?

Q2

Which Java DocumentBuilderFactory feature prevents DOCTYPE-based XXE attacks?

Q3

Why is validating against an XSD schema a useful defense-in-depth for SOAP security?

Code Exercise

Disable XML External Entities

The XML parser is configured with default settings, making it vulnerable to XXE. Add the necessary feature flags to disable external entity processing.

java