Details
Alert Id 90026
Alert Type Active
Status beta
Risk High
CWE
WASC
Technologies Targeted All
Tags OWASP_2017_A01
OWASP_2021_A03

Summary

An unintended SOAP operation was executed by the server.

Solution

If not required, the SOAPAction attribute should be disabled. If needed, the operation within the SOAPAction and the SOAP body should always be compared before executing any operation. Any mismatch should be regarded as an attack.

References

Code

org/zaproxy/zap/extension/soap/SOAPActionSpoofingActiveScanRule.java