The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

&ToAccount=08447656&Submit=Submit

If, on the other hand, the application processes the last 

ClearedFunds

ele-

ment that it encounters, you could inject a similar attack into the 

parameter.

A different type of attack would be to use XML comments to remove part of

the original SOAP message altogether, and replace the removed elements with

your own. For example, the following request injects a 

ClearedFunds

element

via the 

parameter, provides the opening tag for the 

ToAccount

element,

ToAccount

parameter, thus

preserving the syntactic validity of the XML:

POST /transfer.asp HTTP/1.0

Host: wahh-bank.com

Content-Length: 125

FromAccount=18281008&Amount=1430