ORIGINAL RESEARCH article
Front. Comput. Sci.
Sec. Computer Security
Volume 7 - 2025 | doi: 10.3389/fcomp.2025.1595624
This article is part of the Research TopicReliable and Secure System Software in Emerging Cloud and Distributed EnvironmentView all 3 articles
Cloud Security and Authentication Vulnerabilities in SOAP Protocol: Addressing XML-Based Attacks
Provisionally accepted
- Prince Sattam Bin Abdulaziz University, Al-Kharj, Saudi Arabia
Select one of your emails
You have multiple emails registered with Frontiers:
Notify me on publication
Please enter your email address:
If you already have an account, please login
You don't have a Frontiers account ? You can register here
Introduction: This research addresses the security weaknesses in SOAP-based web services, with a particular focus on authentication vulnerabilities resulting from XML-based attacks, such as Signature Wrapping or Replay Attacks. With an emphasis on the fact that an increasing number of cloud services are utilizing SOAP, this study aims to develop a formally verified model that can more effectively identify and address these vulnerabilities. Method: We propose and execute a TulaFale-based verification framework that formally models SOAP authentication scenarios by introducing the standard constructs, UsernameToken, Timestamp, and X.509 digital certificates. These scripts are transformed into the applied pi-calculus and verified using the ProVerif verification tool to check for properties such as authentication, confidentiality, and message integrity. Results: By examining XML web services security problems and consulting with security professionals, a number of key risks were identified and discussed. The research contributes to developing a comprehensive language design for cloud security and vulnerabilities using Blanchet's ProVerif. A controlled experimental testbed was set up to emulate client-server SOAP communication streams and to evaluate the model's effectiveness in identifying an XML-based attack performed on the web services security framework. The framework was experimentally examined for verification time and scalability for concurrency, and for accuracy of identification. The results confirmed our success in identifying attack patterns and confirming secure message exchanges built to the standards set by WS-Security. Discussion: The proposed approach addresses and allows for the addition of automated, formal verification to realistic SOAP deployments. By modeling and verifying a security protocol before the deployment, developers can be confident that their implementation is resilient against protocol-level vulnerabilities, improving the trust in the security of web services deployed within cloud applications.
Keywords: authentication, Access control, pseudonymity, anonymity, privacy-preserving protocols, Digital Rights Management
Received: 18 Mar 2025; Accepted: 15 Aug 2025.
Copyright: © 2025 M. Saeed. This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). The use, distribution or reproduction in other forums is permitted, provided the original author(s) or licensor are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.
* Correspondence: Mozamel M. Saeed, Prince Sattam Bin Abdulaziz University, Al-Kharj, Saudi Arabia
Disclaimer: All claims expressed in this article are solely those of the authors and do not necessarily represent those of their affiliated organizations, or those of the publisher, the editors and the reviewers. Any product that may be evaluated in this article or claim that may be made by its manufacturer is not guaranteed or endorsed by the publisher.