Skip to main content
Security Testing

SOAP/XML Services

Legacy doesn't mean forgotten—by you or attackers.

Legacy web service testing for XML injection, SOAP action spoofing, and WS-Security implementation flaws.

Request a Quote Learn More

Overview

SOAP and XML-based web services remain critical in enterprise environments, particularly in financial services, healthcare, and government. These 'legacy' services often integrate with modern applications while carrying security debt from earlier eras. Our SOAP/XML testing identifies vulnerabilities specific to XML processing and WS-* security standards.

What We Test

Our soap/xml services engagements cover these key areas:

XML External Entity (XXE) injection vulnerabilities

XML injection and XPath injection

SOAP action spoofing and method manipulation

WS-Security implementation (signatures, encryption, tokens)

WSDL exposure and information disclosure

XML bomb and denial of service attacks

Our Approach

SOAP/XML services require understanding both the protocol standards and the XML processing vulnerabilities that affect them. We combine specification-based testing with exploitation techniques specific to XML parsers.

1

WSDL Analysis

Analyze exposed WSDL documents to understand available operations, message structures, and security requirements. Identify all endpoints and their expected inputs.

2

XXE Testing

Test XML parsers for external entity injection. Attempt file retrieval, SSRF via external DTDs, and denial of service through entity expansion.

3

Injection Testing

Test for XML injection, XPath injection, and XSLT injection vulnerabilities that could modify query logic or enable data extraction.

4

SOAP Action Testing

Test for SOAP action spoofing—calling operations not intended for the client by manipulating SOAP headers and action URLs.

5

WS-Security Analysis

Evaluate WS-Security implementations including signature validation, token handling, timestamp enforcement, and encryption configuration.

6

DoS Testing

Test for XML-specific denial of service vulnerabilities including billion laughs attacks, quadratic blowup, and external entity expansion.

Common Findings

These are issues we frequently discover during soap/xml services engagements:

XML External Entity (XXE) injection

XML parsers configured to process external entities allow file reading, SSRF, and potentially remote code execution through malicious XML input.

WSDL exposure

WSDL documents accessible without authentication reveal all available operations, input structures, and internal naming conventions.

Weak WS-Security implementation

Security tokens accepted without proper validation, signatures not verified, or timestamps not enforced—allowing replay attacks and authentication bypass.

SOAP action spoofing

Applications trust the SOAPAction header to route requests, allowing attackers to call operations they shouldn't have access to by manipulating headers.

XML bomb susceptibility

Parsers vulnerable to entity expansion attacks that consume server resources, enabling denial of service through small malicious payloads.

Common Questions

Are SOAP services still relevant?

Yes. They're heavily used in banking, healthcare, government, and enterprise integration. Many organizations have SOAP services that haven't been security tested in years, making them attractive targets.

What if we don't have WSDL documentation?

We can work from traffic captures, test credentials, or reverse engineer the service through endpoint probing. Many SOAP services expose WSDL at predictable URLs even when not formally documented.

Do you test WS-* security standards?

Yes. We test WS-Security, WS-Trust, WS-Federation, and related standards. These complex specifications are often implemented incorrectly, creating subtle vulnerabilities.

Can XXE lead to remote code execution?

In some cases, yes—particularly with PHP's expect:// wrapper or through SSRF to internal services. Even without RCE, XXE typically enables file reading and internal network reconnaissance.

Other API Security Testing Options

REST API Testing

Comprehensive testing of RESTful APIs for authentication bypass, injection flaws, broken object-level authorization, and data exposure.

Learn more

GraphQL Security

Specialized testing for GraphQL APIs including introspection attacks, query complexity abuse, and authorization bypass.

Learn more

OAuth/OIDC Assessment

Authentication flow testing for OAuth 2.0 and OpenID Connect implementations, including token handling and redirect vulnerabilities.

Learn more

Mobile Backend APIs

Testing APIs that support mobile applications, focusing on certificate pinning bypass, API key exposure, and mobile-specific attack vectors.

Learn more
Back to API Security Testing Get a Quote

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Schedule Consultation Call Us

Or call us directly at (445) 273-2873