SOAP Security

Please guide me about security tips of using SOAP with PHP

  1. Web services routing issues

Web services security protocols have WS-Routing services. WS-Routing allows SOAP messages to travel in specific sequence from various different nodes on the Internet. Often encrypted messages traverse these nodes. A compromise of any of the intermediate nodes results in possible access to the SOAP messages traveling between two end points. This can be a serious security breach for SOAP messages. As Web applications move to adopt the Web services framework, focus shifts to these new protocols and new attack vectors are generated.

  1. Parameter manipulation with SOAP

Web services consume information and variables from SOAP messages. It is possible to manipulate these variables. For example, “10” is one of the nodes in SOAP messages. An attacker can start manipulating this node and try different injections – SQL, LDAP, XPATH, command shell – and explore possible attack vectors to get a hold of internal machines. Incorrect or insufficient input validation in Web services code leaves the Web services application open to compromise. This is a new available attack vector to target Web applications running with Web services.

Can PHP prevent these attacks?

No, PHP can not prevent these attacks, because you are talking about compromise of various components that might not even be in your control. PHP is [one of multiple] implementation. The issues, you are talking about are in design. If you do not deal with issues at the design level, then there is no way to deal with them at implementation level.

In essence - if you have such a complex system that is comprised of multiple separate subsystems, then compromise of any of those systems may compromise system as a whole.