SOAP Security

SOAP (Simple Object Access Protocol) is an XML-based messaging protocol that remains prevalent in enterprise systems, financial services, and government applications. Unlike REST APIs, SOAP provides built-in security specifications through the WS-Security family of standards, which enable message-level encryption, digital signatures, and authentication token exchange directly within the XML envelope.

WS-Security allows attaching security credentials (such as X.509 certificates, SAML assertions, or username/password tokens) to SOAP messages, providing end-to-end security that persists even when messages pass through intermediary nodes. This is a significant advantage over transport-level security (TLS) alone, which only protects data between immediate communication endpoints.

However, SOAP services are vulnerable to several XML-specific attacks. XML External Entity (XXE) injection can read server files or perform SSRF by exploiting XML parsers that process external entity references. XML bomb attacks (billion laughs) cause denial of service through exponential entity expansion. XPath injection targets services that use XPath queries to process XML input. WSDL exposure reveals the complete service interface to potential attackers. To secure SOAP services, organizations should disable external entity processing in XML parsers, enforce XML schema validation, implement message size limits, restrict WSDL access, apply WS-Security policies consistently, and monitor for XML-based attack patterns in their web application firewalls.