SOAP XML Injection

The server processed injected XML content within SOAP messages, indicating insufficient input validation and sanitization. This detector identifies cases where attackers can inject malicious XML elements or attributes that are parsed and interpreted by the SOAP processor, potentially altering the message structure or meaning.

SOAP XML injection allows attackers to manipulate the structure and content of SOAP messages by injecting malicious XML. Attackers can alter operation parameters, add new elements to escalate privileges, modify transaction amounts, or inject XXE payloads to read sensitive files. This vulnerability can lead to authentication bypass, unauthorized access to data, or server-side request forgery depending on how the injected XML is processed by the application.

Implement strict input validation against XML schemas defined in WSDL files, rejecting any messages that do not conform to the expected structure. Use parameterized SOAP APIs or XML frameworks that properly escape user input. Disable XML entity processing to prevent XXE attacks. Apply whitelist validation for all user-supplied data that will be included in SOAP messages, and use schema validation to enforce message structure before processing.