SOAP data is usually sent using XML, so all test cases in the XML category apply here. Because the data is often sent over the network, the network request/response cases also apply. Here are some SOAP-specific cases. Refer to Chapters 4 and 11.
Sample Test Cases | |
---|---|
Test Case | Description |
<unluckyNumbers xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:enc="http://www.w3.org/2001/12/soap- encoding" enc:arrayType="xs:int[500000]" > <number>4</number> <number>42</number> </unluckyNumbers> | SOAP array DoS. Some servers allocate memory to prepare for the array following the array size specification, thus allowing for a potential DoS where the attacker specifies a large size that results in the server consuming large amounts of memory. |
Verify DTDs aren t used in SOAP 1.1 message | DTDs can be used to build strings dynamically on the victim s machine and consumer large amounts of memory. The SOAP 1.1 specification states that a SOAP message must not contain a DTD. |
http://server/test.asmx/method- name ?param1=val1¶m2=val2 | SOAP CSRF attack using GET. |
<FORM name="myForm" action= "http://server/test.asmx/method-name" method="POST" > <INPUT type="hidden" name="param1" value="val1"> <INPUT type="hidden" name="param2" value="val2"> <INPUT type="submit"> </FORM> | SOAP CSRF attack using POST. |