Abstract
Simple Object Access Protocol (SOAP) is often treated as a relic of the past, yet it continues to power critical business workflows and systems that process highly sensitive data. Because these services are seen as mature and reliable, their underlying assumptions frequently go unchallenged. By examining how SOAP requests are parsed, how XML is processed, and how data flows through the system, it becomes clear that these systems can behave in ways developers and defenders do not anticipate.
Modern environments introduce additional trust dependencies β XML parsing, object deserialization, schema validation, and error-handling paths that appear harmless but can quietly create serious security issues, such as XXE. This talk breaks down how these pieces interact in real implementations and demonstrates why SOAP still matters today.