The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

SOAP injection can be prevented by employing boundary validation filters at

any point where user-supplied data is inserted into a SOAP message (see

Chapter 2). This should be performed both on data that has been immediately

received from the user in the current request and on any data which has been

persisted from earlier requests or generated from other processing that takes

user data as input. 

To prevent the attacks described, the application should HTML-encode any

XML metacharacters appearing in user input. HTML-encoding involves

replacing literal characters with their corresponding HTML entities. This

ensures that the XML interpreter will treat them as part of the data value of the

relevant element, and not as part of the structure of the message itself. The

HTML-encodings of some common problematic characters are:

<    <

>    >

/    /