We have a legacy application on spring mvc and we have a web service exposed (SOAP protocol) for some reporting client app. This service was tested by a security team and the report indicates that the service is vulnerable to XSS attack. The proof provided in the report indicates that they injected malicious code in the XML namespace as shown below :

<?xml version="1.0" encoding="UTF-8"?>
<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/">
        <getReport xmlns="myReport.xsdn9hqu&#x22;&gt;&lt;a xmlns:a=&apos;http://www.w3.org/1999/xhtml&apos;&gt;&lt;a:body onload=&apos;alert(1)&apos;/&gt;&lt;/a&gt;mbr2jk4t5ff">
             <some_info>some value</some_info>
            <some_more_info>some more value</some_more_info>
                <someInput>some input data</someInput>

The app uses apache axis 1.4 jax-rpc to provide the service. In the response the added malicious code from the xml namespace is sent back as shown below:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <ns1:getReportResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns1="myReport.xsdn9hqu">
            <a xmlns:a='http://www.w3.org/1999/xhtml'>
                <a:body onload='alert(1)'/>
            <geReportReturn href="#id0"/>
     . . . . .  report details continue

How do I fix this vulnerability? How can I encode/escape the XML header in this case?

1 Answers1


I would not consider it XSS vulnerability, as SOAP services are usually called by another service that would not execute anything in the response. However you could address it by validating the namespace and throwing a more generic error without including any contents from the payload. Trying to encode it differently is just creating a moving target and not really fixing it.

XSS is only if you can get a person to go to a web site by redirecting their browser so that it does a POST or a GET to another site, and you can inject your own contents in that site that is executable client-side scripting such as JavaScript.

  • 443
  • 4
  • 10