/docs/desktop/addons/soap-support/ Recent content in SOAP Support on ZAP Hugo en-us /docs/desktop/addons/soap-support/automation/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/desktop/addons/soap-support/automation/ <h1 id="soap-automation-framework-support">SOAP Automation Framework Support</h1> <p>This add-on supports the Automation Framework.</p> <p>The add-on will import WSDL files containing SOAP endpoints if they are found while spidering but adding them explicitly via a URL or local file is recommended if they are available.</p> <h2 id="job-soap">Job: soap <a class="header-link" href="#job-soap"><svg class="fill-current o-60 hover-accent-color-light" height="22px" viewBox="0 0 24 24" width="22px" xmlns="http://www.w3.org/2000/svg"><path d="M0 0h24v24H0z" fill="none"/><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z" fill="currentColor"/></svg></a></h2> <p>The soap job allows you to import WSDL files locally or from a URL.</p> /docs/desktop/addons/soap-support/alerts/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/desktop/addons/soap-support/alerts/ <h1 id="soap-alerts">SOAP Alerts</h1> <p>The following alerts are raised by the SOAP add-on. {#id-90026}{#id-90029}{#id-90030}</p> <table> <thead> <tr> <th>Alert Reference</th> <th>Name</th> <th>Description</th> <th>Latest Code</th> </tr> </thead> <tbody> <tr> <td><a href="/docs/alerts/90026/">90026</a></td> <td>Action Spoofing</td> <td>SOAP requests contain some sort of operation that is later executed by the web application. This operation can be found in the first child element of the SOAP Body. However, if HTTP is used to transport the SOAP message the SOAP standard allows the use of an additional HTTP header element called SOAPAction. This header element contains the name of the executed operation. It is supposed to inform the receiving web service of what operation is contained in the SOAP Body, without having to do any XML parsing. This optimization can be used by an attacker to mount an attack, since certain web service frameworks determine the operation to be executed solely on the information contained in the SOAPAction header field.</td> <td><a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/soap/src/main/java/org/zaproxy/zap/extension/soap/SOAPActionSpoofingActiveScanRule.java">SOAPActionSpoofingActiveScanRule.java</a></td> </tr> <tr> <td><a href="/docs/alerts/90029/">90029</a></td> <td>SOAP XML Injection</td> <td>During an &ldquo;XML Injection&rdquo; an attacker tries to add or manipulate various XML Tags in the SOAP message aiming to manipulate the XML structure. Usually a successful XML injection results in the execution of a restricted or unintended operation. Depending on the executed operation various security or business controls might be violated.</td> <td><a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/soap/src/main/java/org/zaproxy/zap/extension/soap/SOAPXMLInjectionActiveScanRule.java">SOAPXMLInjectionActiveScanRule.java</a></td> </tr> <tr> <td><a href="/docs/alerts/90030/">90030</a></td> <td>WSDL File Detection</td> <td>This alert is raised when the passive scanner detects a WSDL file.</td> <td><a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/soap/src/main/java/org/zaproxy/zap/extension/soap/WSDLFilePassiveScanRule.java">WSDLFilePassiveScanRule.java</a></td> </tr> </tbody> </table> <h2 id="see-also">See also <a class="header-link" href="#see-also"><svg class="fill-current o-60 hover-accent-color-light" height="22px" viewBox="0 0 24 24" width="22px" xmlns="http://www.w3.org/2000/svg"><path d="M0 0h24v24H0z" fill="none"/><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z" fill="currentColor"/></svg></a></h2> <table> <thead> <tr> <th></th> <th></th> <th></th> </tr> </thead> <tbody> <tr> <td></td> <td><a href="/docs/desktop/addons/soap-support/">SOAP</a></td> <td>for an overview of the SOAP support add-on.</td> </tr> <tr> <td></td> <td><a href="/docs/desktop/addons/soap-support/automation/">SOAP Automation</a></td> <td>for information about the automation framework support.</td> </tr> </tbody> </table>