External Service Interaction attack using SOAP in ASP.NET Webservices RRS feed

  • Question

  • Hi,

    We are facing this security issue in the ASP.NET Web services. Here is the scenario.

    - We have a web service that is soap based.

    - When we hit that web service and modify the SOAP request body and add the following line

    <!DOCTYPE soapenv:envelope PUBLIC "-//B/A/EN" "http://xyz-website.com">

    - We see the the request is rejected by the framework with the following error 

    Code=-106;Message=Invalid Soap Request Xml;Detail=Invalid Request.;

    - Which is fine

    - But the issue is that our server (Where the service is hosted, also makes a call to xyz-website.com, which is a security breach.

    We could not find anyway  to stop it. Can you please suggest how we can stop our ASP.NET Webservice from calling external websites that are injected in the request body by DOCTYPE.


    Tahir Rauf

    Monday, May 21, 2018 8:51 AM

All replies

  • Hi Tahir Rauf,

    Thank you for posting here.

    For your question is more related to ASP.NET, please post a new thread in ASP.NET forum for suitable support.

    The CLR Forum discuss and ask questions about .NET Framework Base Classes (BCL) such as Collections, I/O, Regigistry, Globalization, Reflection. Also discuss all the other Microsoft libraries that are built on or extend the .NET Framework, including Managed Extensibility Framework (MEF), Charting Controls, CardSpace, Windows Identity Foundation (WIF), Point of Sale (POS), Transactions.

    Best Regards,


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, May 22, 2018 7:13 AM
  • Btw, does following this thread to set custom schema provider and then set XmlResolver to null or XmlSecureResolver works for you?

    Btw, seems .NET 4.5.2 or later will no longer resolve external reference listed in DOCTYPE (Relevent documentation here. The default setting is Prohibit.). Maybe updating your .NET version and it'll be fine.

    • Edited by cheong00 Wednesday, May 23, 2018 8:21 AM
    Wednesday, May 23, 2018 7:41 AM