SOAP Action Spoofing

The server executed a SOAP operation that differs from the one specified in the SOAPAction header, indicating the application does not validate consistency between the header and the message body. This detector identifies cases where an attacker can specify one operation in the SOAPAction header while sending a different operation in the SOAP body.

SOAP action spoofing allows attackers to bypass access controls by declaring a benign operation in the SOAPAction header while executing a privileged operation in the message body. If the application validates authorization based only on the SOAPAction header, attackers can invoke administrative or restricted operations without proper permissions. This can lead to unauthorized data access, modification of critical data, or execution of privileged functions reserved for administrators.

Validate that the operation specified in the SOAPAction header matches the operation in the SOAP message body before processing any request. Implement authorization checks based on the actual operation in the message body, not the SOAPAction header. If SOAPAction is not required for your implementation, disable it entirely to eliminate the attack vector. Reject requests where the header and body operations do not match.