ZAP – SOAP Action Spoofing

Details
Alert ID	90026
Alert Type	Active
Status	beta
Risk	High
CWE
WASC
Technologies Targeted	All
Tags	OWASP_2017_A01 OWASP_2021_A03
More Info	Scan Rule Help

Summary

An unintended SOAP operation was executed by the server.

Solution

If not required, the SOAPAction attribute should be disabled. If needed, the operation within the SOAPAction and the SOAP body should always be compared before executing any operation. Any mismatch should be regarded as an attack.

Other Info

An unintended SOAP operation was executed by the server.

References

https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2012/07/11/camera-ready.pdf

Code

org/zaproxy/zap/extension/soap/SOAPActionSpoofingActiveScanRule.java