312-50V11 · Question #972
Stella, a professional hacker, performs an attack on web services by exploiting a vulnerability that provides additional routing information in the SOAP header to support asynchronous communication. T
The correct answer is B. WS-Address spoofing. WS-Address spoofing exploits WS-Addressing headers in SOAP messages to inject malicious routing directives, enabling attackers to redirect web service traffic across separate TCP connections for asynchronous communication abuse.
Question
Options
- AXML injection
- BWS-Address spoofing
- CSOAPAction spoofing
- DWeb services parsing attacks
How the community answered
(31 responses)- A3% (1)
- B77% (24)
- C6% (2)
- D13% (4)
Why each option
WS-Address spoofing exploits WS-Addressing headers in SOAP messages to inject malicious routing directives, enabling attackers to redirect web service traffic across separate TCP connections for asynchronous communication abuse.
XML injection attacks target application-level input handling by inserting malicious XML constructs into data fields, not by manipulating SOAP routing headers for asynchronous message redirection.
WS-Addressing is a W3C specification that embeds routing and endpoint reference information within SOAP headers to support asynchronous messaging, allowing requests and responses to traverse different TCP connections. Stella exploits this by spoofing those routing headers to redirect SOAP messages to attacker-controlled endpoints or manipulate message flow. This technique is specifically classified as WS-Address spoofing because it leverages the WS-Addressing extension to compromise web service communication.
SOAPAction spoofing manipulates the HTTP SOAPAction header to invoke unintended service operations or bypass security controls, but does not involve the routing information in SOAP headers that supports asynchronous multi-connection communication.
Web services parsing attacks exploit vulnerabilities in XML parsers such as XXE or recursive entity expansion, not the WS-Addressing routing metadata embedded in SOAP headers.
Concept tested: WS-Addressing SOAP header spoofing in web services
Source: https://www.w3.org/TR/ws-addr-core/
Topics
Community Discussion
No community discussion yet for this question.