Soap Array Attack

From WS-Attacks
Jump to: navigation, search

Attack description

SOAP messages are flexible in many ways, even Arrays are supported. If you are new to SOAP arrays check the documentation by the W3C [1].

However this feature that can be exploited by an attacker to cause a denial of service attack to limit the web service availability.

Before an SOAP array is used, its size has to be defined, just like with many other programming languages. By default, SOAP doesn't limit the number of elements within an array. This property can be exploited by an attacker to execute a DOS attack limiting the availability of the web service. Let's assume an attacker declares an array with 1,000,000,000 String elements. Before the message is processed any further by the parser, the web service will reserve space for 1,000,000,000 String Elements in the RAM. In most cases that will lead to memory exhaustion of the attacked system.

Easy countermeasures are available if one is aware of the attack.

Attack subtypes

There are no attack subtypes for this attack.

Prerequisites for attack

In order for this attack to work the attack has to have knowledge about the following things:

  1. Attacker knows endpoint of web service. WSDL is not required, since the attack is solely focused on the XML Parser. It doesn't matter if the Operations within the SOAP Message are valid.
  2. Attacker can reach endpoint from its location. Access to the attacked web service is required. If the web service is only available to users within a certain network of a company, the attack is limited.

Graphical representation of attack


  • Red box = attacked web service component
  • Black box = attacker location
  • blue box = other web service components not actively used in the attack

Attack example

In our example we just take an arbitrary SOAP message with a string array in the SOAP message body. In this case the attacker declares a SOAP array with one million elements.

Siehe bachelor Seite 61

<soapenv:Envelope xmlns:soapenv="..." xmlns: soapenc:"...">
<ns1:FunctionWithArrayInput xmlns:ns1="...">
<DataSet xsi:type="soapenc:Array"
<item xsi:type="xsd:string">Data1</item>
<item xsi:type="xsd:string">Data2</item>
<item xsi:type="xsd:string">Data3</item>

Listing 1: SOAP Message with malicious Array in body

Attack mitigation / countermeasures

The attack can be stopped by using strict schema validation. In most cases the maximum number of array elements is known. Lets make an example. We assume that only 10 elements are allowed, not more. In this case an appropriate schema could look like this[2]:

<!-- start excerpt .. -->
<simpleType name="phoneNumber" base="string"/>

<element name="ArrayOfPhoneNumbers">
  <complexType base="SOAP-ENC:Array">
    <element name="phoneNumber" type="tns:phoneNumber" maxOccurs="10"/>
<!-- end excerpt... -->

Listing 2: Excerpt fixed XML Schema

An excerpt of a valid SOAP message could look like this:

<!-- start excerpt .. -->

<xyz:ArrayOfPhoneNumbers SOAP-ENC:arrayType="xyz:phoneNumber[2]">

<!-- end excerpt... -->

Listing 3: Excerpt of a valid SOAP message

If we cannot limit the number of maximal elements per default, another solution has to be found. In this case it is best to compare the number of declared elements in the "soapenv_arrayType" attribute with number of actual existing array elements. In case they don't match, the SOAP message is discarded. This feature has to be implemented by hand by the web service developer.

Attack categorisation

Categorisation by violated security objective

The attack aims at exhausting the system resources, therefore it violates the security objective Availability.

Categorisation by number of involved parties

Categorisation by attacked component in web service architecture

Categorisation by attack spreading


  1. Meiko Jensen, Nils Gruschka, and Ralph Herkenh ̈ner. A survey of attacks on web services. Springer-Verlag, 2009.
  2. Jan Peters. Use of soa appliances in service-oriented infrascructeres. CAST-Workshop - SOA Security, Juni 2009.
  3. Leroy Metin Yaylacioglu. Business value einer web service firewall. Master’s thesis, Hochschule für Angewandte Wissenschaften Hamburg, 2008.