What Is SOAP?
SOAP (Simple Object Access Protocol) is a messaging protocol for exchanging structured data between systems. It uses XML for message formatting and typically runs over HTTP, though it can use other protocols like SMTP.
SOAP was the dominant web service technology before REST emerged. While newer APIs overwhelmingly use REST or GraphQL, SOAP remains critical in enterprise environments.
Where SOAP Is Still Used
- Banking and finance — payment processing, interbank communication (SWIFT)
- Healthcare — HL7/FHIR integrations, insurance claims
- Government — tax filing, regulatory reporting
- Enterprise — SAP, Salesforce SOAP API, legacy CRM/ERP systems
- Telecommunications — provisioning, billing systems
SOAP vs. REST
| Feature | SOAP | REST |
|---|---|---|
| Format | XML only | JSON, XML, others |
| Contract | Required (WSDL) | Optional (OpenAPI) |
| Protocol | HTTP, SMTP, JMS | HTTP only |
| Security | WS-Security (built-in) | HTTPS + custom |
| Transactions | WS-AtomicTransaction | Custom |
| State | Stateful supported | Stateless |
| Error handling | SOAP Faults | HTTP status codes |
| Learning curve | High | Low |
SOAP Message Structure
Every SOAP message has this structure:
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:usr="http://example.com/users">
<soap:Header>
<usr:AuthToken>token123</usr:AuthToken>
</soap:Header>
<soap:Body>
<usr:GetUser>
<usr:userId>42</usr:userId>
</usr:GetUser>
</soap:Body>
</soap:Envelope>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetUserResponse>
<user>
<id>42</id>
<name>Alice Johnson</name>
<email>alice@example.com</email>
</user>
</GetUserResponse>
</soap:Body>
</soap:Envelope>
SOAP Faults (Error Responses)
<soap:Body>
<soap:Fault>
<faultcode>soap:Client</faultcode>
<faultstring>User not found</faultstring>
<detail>
<errorCode>USER_404</errorCode>
<message>No user with ID 99999 exists</message>
</detail>
</soap:Fault>
</soap:Body>
Fault codes: soap:Client (client error), soap:Server (server error), soap:MustUnderstand, soap:VersionMismatch.
WSDL — The Contract
WSDL (Web Service Description Language) defines everything about the SOAP service. It is your primary testing reference:
- Types — XML Schema definitions for request/response messages
- Messages — Abstract definitions of the data being communicated
- Operations — Available methods (GetUser, CreateUser, etc.)
- Bindings — How messages are transmitted (SOAP over HTTP)
- Services — The endpoint URL where the service is available
# Access WSDL
https://api.example.com/UserService?wsdl
Testing SOAP Services
Using SoapUI
SoapUI is the standard tool for SOAP testing:
- Import WSDL: File > New SOAP Project > Enter WSDL URL
- SoapUI auto-generates sample requests for all operations
- Modify the XML values and send requests
- Add assertions for response validation
- Create test suites and data-driven tests
Using cURL
curl -X POST \
-H "Content-Type: text/xml; charset=utf-8" \
-H "SOAPAction: http://example.com/GetUser" \
-d '<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetUser xmlns="http://example.com/users">
<userId>42</userId>
</GetUser>
</soap:Body>
</soap:Envelope>' \
https://api.example.com/UserService
SOAP Test Scenarios
| Category | Tests |
|---|---|
| Functional | Valid requests for each operation; verify response data |
| Validation | Missing required elements, wrong data types, invalid XML |
| Security | WS-Security tokens, expired tokens, SQL/XML injection |
| Faults | Verify fault codes, fault strings, and detail elements |
| WSDL compliance | Response matches WSDL-defined schema |
| Performance | Response time under load |
| Interoperability | Different SOAP clients produce same results |
XML Validation Tests
| Test | Expected |
|---|---|
| Well-formed XML | Missing closing tags should fail |
| Schema validation | Elements must match WSDL types |
| Namespace errors | Wrong namespace should return fault |
| Empty required elements | Should return validation fault |
| XML injection | <script> tags should be escaped/rejected |
| XXE attack | External entity references should be blocked |
Hands-On Exercise
- Explore a public SOAP service: Find a public SOAP API (many countries have public government SOAP services). Import the WSDL into SoapUI or use cURL.
- Test with cURL: Send a SOAP request via cURL and parse the XML response.
- Error testing: Send malformed XML, missing required elements, and invalid data types.
- Compare SOAP and REST: If an API offers both SOAP and REST interfaces, compare the request/response size and complexity.
Key Takeaways
- SOAP uses XML messages with a strict Envelope/Header/Body structure and WSDL contracts
- While REST dominates new APIs, SOAP remains critical in banking, healthcare, government, and enterprise
- WSDL is the complete API contract — it defines operations, messages, types, and endpoints
- SoapUI is the industry-standard tool for SOAP testing; cURL works for simple requests
- SOAP Faults are the error mechanism — test for proper fault codes, strings, and detail elements
- XML-specific vulnerabilities (XXE, XML injection) must be tested in addition to standard API security