SOAPAction Spoofing

SOAPAction Spoofing is a type of attack against web services that use the SOAP|Simple Object Access Protocol (SOAP). This attack involves manipulating or forging the SOAPAction header in a SOAP request to trick the server into performing an unintended action. The SOAPAction header in a SOAP request is supposed to indicate the specific action or operation that the request is intended to trigger. By spoofing this header, an attacker can potentially bypass security checks or access unauthorized functionality.

The attacker modifies the SOAPAction header in the SOAP request to an unexpected value or to an action that they are not authorized to use. If the web service does not properly validate the SOAPAction header or relies solely on it for routing requests to the appropriate handlers, this manipulation can allow the attacker to access functions they shouldn't have access to.

The spoofing might exploit logical flaws in the web service where certain actions are inadequately protected or where the routing of requests is based solely on the SOAPAction header.

Imagine a web service that offers two operations: getUserDetails (which is intended to be publicly accessible) and deleteUser (which is restricted to administrators). These operations might be invoked using SOAP requests with SOAPAction headers like:

  • SOAPAction: "http://example.com/getUserDetails"
  • SOAPAction: "http://example.com/deleteUser"

An attacker might normally only have access to getUserDetails. However, if the web service inadequately checks the user's permissions and relies solely on the SOAPAction header to route the request, the attacker could modify their SOAP request to:

SOAPAction: "http://example.com/deleteUser"

Info

Even though they are not an administrator, if the service does not verify their authorization for the deleteUser action, it might process this request, allowing the attacker to delete users.