Project: WASC Threat Classification

Threat Type: Attack

Reference ID: WASC-35

SOAP Array Abuse

XML SOAP arrays are a common target for malicious abuse. SOAP arrays are defined as having a type of “SOAP-ENC:Array” or a type derived there from. SOAP arrays have one or more dimensions (rank) whose members are distinguished by ordinal position. An array value is represented as a series of elements reflecting the array, with members appearing in ascending ordinal sequence. For multi-dimensional arrays the dimension on the right side varies most rapidly. Each member element is named as an independent element. A web-service that expects an array can be the target of a XML DoS attack by forcing the SOAP server to build a huge array in the machine’s memory, thus inflicting a DoS condition on the machine due to the memory pre-allocation.