ZAP – SOAP Action Spoofing

Details
Alert ID	90026
Alert Type	Active
Status	beta
Risk	High
CWE	451
WASC
Technologies Targeted	All
Tags	OWASP_2017_A01 OWASP_2021_A03 POLICY_API POLICY_DEV_CICD POLICY_DEV_FULL POLICY_DEV_STD POLICY_PENTEST POLICY_QA_CICD POLICY_QA_FULL POLICY_QA_STD POLICY_SEQUENCE
More Info	Scan Rule Help

Summary

An unintended SOAP operation was executed by the server.

Solution

If not required, the SOAPAction attribute should be disabled. If needed, the operation within the SOAPAction and the SOAP body should always be compared before executing any operation. Any mismatch should be regarded as an attack.

Other Info

An unintended SOAP operation was executed by the server.

References

https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2012/07/11/camera-ready.pdf

Code

org/zaproxy/zap/extension/soap/SOAPActionSpoofingActiveScanRule.java