-
Notifications
You must be signed in to change notification settings - Fork 214
SOAP Injection
This guide demonstrates how to exploit the SOAP Injection vulnerability in the "Check User Status" feature within the Admin Area.
The application uses a legacy SOAP service (/dvwsuserservice) to retrieve user details. The backend constructs the SOAP XML response by concatenating the requested username directly into the XML structure without proper escaping.
This allows an attacker to "break out" of the <username> tag and inject their own XML tags into the response, such as <role> or <status>.
An attacker wants to trick an administrator (or a system consuming this service) into believing a regular user has "admin" privileges.
-
URL:
/dvwsuserservice(Accessed via Admin Area -> Check User Status) - Method: POST (XML)
The goal is to inject a <role>admin</role> tag.
We use the following payload as the "Username":
test</username><role>admin</role><username>ignoreHow it works:
- The server expects to insert the username here:
<username> [INPUT] </username> - With our input, it becomes:
<username>test</username><role>admin</role><username>ignore</username> - The XML parser reads this as:
-
username: "test" -
role: "admin" (The injected value!) -
username: "ignore" (Extra tag to balance the structure) - ... followed by the real
<role>user</role>which comes later in the template.
-
Since the injected tag appears first or is parsed as a sibling, the client application (Admin Dashboard) picks up the injected role.
- Log in to the application (as admin/vulntest).
- Navigate to the Admin Area (
admin.html). - Locate the "Check User Status (SOAP Service)" section.
- In the "Enter Username" field, paste the payload:
test</username><role>admin</role><username>ignore(Note: You might need to URL-encode characters if sending via raw API, but the form handles it). - Click Check.
-
Result: The result area should display:
- Username: test
- Role: admin (Spoofed!)
- Status: active
You have successfully injected a tag into the SOAP response and spoofed the user's role.
- XML External Entity Injection
- Server Side Request Forgery (SSRF)
- Username Enumeration
- NoSQL Injection
- Insecure Direct Object Reference
- Mass Assignment
- Cross Site Scripting (XSS)
- Hidden API Functionality Exposure
- SQL Injection
- Information Disclosure
- Insecure PostMessage Configuration
- Command Injection
- Prototype Pollution
- JSON Hijacking
- XPath Injection
- Cross Origin Resource-Sharing Misonfiguration
- JWT Secret Key Brute Force
- Vertical Access Control
- Horizontal Access Control
- Open Redirect
- Path Traversal
- Unsafe Deserialization
- Sensitive Data Exposure
- Arbitrary File Write
- Introspection Enabled
- GraphQL Access Control Issues
- GraphQL Batching Brute Force
- API Endpoint Brute Forcing
- CRLF Injection
- XML Injection
- XML Bomb Denial‐of‐Service
- SOAP Injection
- JSON CSRF
- LDAP Injection
- Rate Limit Bypass
- Client Side Template Injection