What is Simple Object Access Protocol (SOAP)?
Thinking about SOAP APIs brings to mind a middle school taunt along the lines of “The 90s called. They want their pants back.” Revolutionary in its day, the technology can sometimes now feel dated. Yet, the Simple Object Access Protocol (SOAP) has exhibited more staying power than many of its detractors would like to admit. If you’re involved in enterprise architecture or application integration, it pays to know a bit about SOAP APIs—where they came from, what they do, where they can be effective, and the vulnerabilities they can potentially create.
What is SOAP?
SOAP is a standards-based messaging protocol specification. SOAP messages exchange structured information using XML as its message format. In a nutshell, a SOAP message is essentially an XML document that consists of four different elements:
SOAP envelope – this establishes the XML document as a SOAP message
SOAP header – this includes info on the header details
SOAP body – this includes info on the SOAP requests and the responses
SOAP fault – this includes info on any errors that occur
With SOAP, an application can invoke a web service, send or retrieve data, or issue a procedure call. A SOAP message travels using application layer protocols like Hypertext Transport Protocol (HTTP), though it can also run on Simple Mail Transfer Protocol (SMTP), Java Message Service (JMS), and others.
The history of SOAP
To understand the importance of the Simple Object Access Protocol (SOAP), it’s necessary to know what came before it and the problems its creators set out to solve. SOAP enables two or more applications, built in any language and running on any platform to exchange data and procedure calls across virtually any kind of network. This may not seem so special in 2022, but there was a time when the very idea of such interoperability would have seemed like science fiction.
Getting two or more computer systems to communicate and interoperate is a challenge that goes back at least to the early 1960s. And, while many innovative developments made it incrementally easier to achieve this goal, by the 1990s, many industry insiders had reached the conclusion that a radical change was needed. Interfaces between applications were either custom-coded or built using cumbersome proprietary middleware products. Companies spent fortunes and person-years managing these fragile connections and buying connector sets.
The answer was for the major industry players to come together and agree upon a set of open standards for application integration, data exchange, and interoperation. By 1998, these standards had come into existence and were ratified by the Internet Engineering Task Force (IETF). In addition to SOAP, these so-called “web services standards” included Web Services Description Language (WSDL), which describes how a SOAP web service works, and Universal Description Discovery and Integration (UDDI), which is a format for a SOAP web service directory.
SOAP and its accompanying web services standards became the foundation for an entire generation of dominant enterprise technologies. The web services standards were the basis for the massive, entirely new Microsoft .NET framework, the Oracle Aquasoft platform and portfolio, IBM’s WebSphere integration platform and portfolio, SAP NetWeaver, and others. They represented a profound revolution in software development, application integration, and enterprise architecture.
SOAP's relationship to XML
SOAP messages are built in the Extensible Markup Language (XML). The SOAP standard specifies the XML schema used to create a SOAP message. This includes the “envelope” for the SOAP message, which defines the message structure and destination. The SOAP XML schema also includes encoding rules that represent data types, as well as a convention for representing procedure calls and responses.
When to use SOAP
SOAP is useful in a variety of situations. It is good when synchronous processing is occurring, perhaps coupled with the need to invoke certain APIs subsequently. SOAP APIs are handy when it’s necessary for a server and client to exchange data in a structured format. SOAP is also effective for the seamless processing of stateful operations, i.e., when an application needs to maintain the state from one request to another.
In some cases, there may be no choice but to use SOAP, e.g., when it’s the default integration protocol for a packaged application. There is also the likelihood that you'll encounter a legacy and shadow SOAP API that was deployed by a former employee.
SOAP supported transfer protocols: HTTP, TCP, SMTP, FTP
Transfer protocols are based upon the use of rules or instructions for data exchange over the Internet. Currently, the protocol uses low-level protocols including IPv4 that simply transmits the packets to the other site. Some higher transfer layers like TCP assure data delivery. Finally, the web browsers can use applications level protocol for communicating and storing data on servers without actually determining the connection itself. SOAP supports several transfer protocol, including specialized low-level ones. SOAP allows communication via TCP protocol - an intermediate level data exchange system working via an Internet network.
Advantages of SOAP
Despite the stigma that SOAP carries of being an outdated technology, its longevity and long track record of use would actually imply that the protocol is quite effective. Let's take a look at a few of the notable benefits of using SOAP:
Compatible with all programming languages.
Due to the fact that SOAP is rooted in the XML format, it is interoperable with all programming languages and provides a standardized way of exchanging data between different software systems. This means that developers can create applications that can access data from different sources.
Perfect solution for working with multiple extensions
With WSDL, for example, a developer gets the information he or she needs to develop and implement a SOAP API with relative ease. SOAP’s multiple extensions, like WS Addressing, WS Security, and WS Federation, are also helpful as pre-built app components.
It’s a way to exchange data in a secure and reliable manner.
SOAP is more secure than HTTP because it uses SSL encryption to protect data transmission. In contrast, REST APIs don't feature security and extension capabilities as SOAP APIs do. Security depends upon the API's own architectures.
Disadvantages of SOAP
On the downside, SOAP has shown some pretty clear weaknesses when compared to some of the newer generation protocols. Let's review some of the key disadvantages of using SOAP vs protocols like REST or GraphQL:
SOAP is comparatively complex and time-consuming
When compared to it's RESTful alternative, the SOAP syntax tends to be challenging. For instance, performance can be an issue due to the fact that parsing XML data can be CPU and memory intensive.
"Language agnostic" format comes with strings attached
And, while SOAP is theoretically vendor-neutral, implementing it often involves committing to a stack, such as Microsoft, which not everyone wants to do.
SOAP creates some exposure to cyber-risk as well
SOAP API vulnerabilities include Denial of Service (DoS) attacks, XML injection (XXE), SQL injection, command injection, and more. SOAP is also vulnerable to spoofing and Man-in-the-Middle (MiTM) attacks. Web service security tools can mitigate many of these risks.
SOAP vs REST APIs
Use of SOAP and the web services standards has been in decline since the emergence of Representational State Transfer (REST) as the primary basis for APIs, data exchange, and application integration. There’s an idea that REST “replaced” SOAP. This is true, in a limited way, but it’s worth noting the differences between the two.
SOAP is a protocol, in contrast to REST, which is an architectural pattern
SOAP uses web services to expose functionality to clients, versus REST, which relies on URLs to access components of a REST service
SOAP requires more bandwidth than REST
SOAP cannot use REST, but REST can use SOAP
SOAP vs GraphQL
SOAP and GraphQL are two different protocols that are used to communicate with web services. They both have their own advantages and disadvantages but they are both widely used today. SOAP is a is a request-response protocol that uses XML for the request and response.
GraphQL, on the other hand, has been gaining popularity over the years because it offers more flexibility than SOAP. One of the most notable advantages is that it provides a way to query data from multiple sources without having to use multiple APIs. It also allows for better performance because it doesn't require XML parsing or serialization.
SOAP integrates the WS-Security functionality. Using these protocols, we can determine security measures in transactions and provide privacy guidelines for data integrity in a transactional environment. A further advantage is that it supports encrypted and cryptography signed documents. WS-Security allows your message to not just have HTTPS encryption but also have authenticating data in a message. It must also ensure that the data whose transits outside the HTTPS protocol are retrieved only by the correct processing on that server and not by the correct server itself.
The REST API only supports HTTP security methods. If applications send messages using an HTTPS connection then this message can be secured only by HTTPS communication. Meaning, the message is encrypted only at the time of transport from customer to services. It works well for public websites. Because REST APIs don't feature security capabilities and extension capabilities as SOAP APIs do, security depends upon the API's own architectures. A REST API can have a specific security mechanism for allowing only authenticated users to access them.
How Noname can help secure your SOAP APIs
Aging but still vital, SOAP APIs have a role to play in modern application integration and interoperation. It will likely continue to serve as a critical element of enterprise architectures for a generation to come. With that said, the first step to protecting SOAP APIs is finding out where they are. Considering how long many of them have been deployed, it's not farfetched to think that many have transitioned into shadow APIs. The employees who originally deployed these APIs have since moved on or retired, and its highly unlikely that there were developer transition plans in place which audited APIs when the organization experienced attrition.
In order to secure not just these APIs but your entire API estate, you must be able to identify all the APIs you have regardless of configuration or type—including RESTful, GraphQL, SOAP, XML-RPC, JSONRPC, and gRPC. Noname Security not only helps you inventory these APIs, but we also uncover vulnerabilities, misconfigurations, and potential sensitive data exposure.
Learn more about our comprehensive API Security platform by visiting nonamesecurity.com