Skip to main content

Protect WSDL files


WSDL files containing sensitive information must not be publicly accessible.


Some web services architectures require exposing a WSDL file. If this file contains sensitive information, such as deprecated methods or administrative services, it should not be available to a wider audience than it requires. If it must be available on a very public network, like the internet, then it should not contain any sensitive information.


  • CAPEC-116: Excavation: An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes. This is achieved by exploring the target via ordinary interactions for the purpose of gathering intelligence about the target, or by sending data that is syntactically invalid or non-standard in an attempt to produce a response that contains the desired data.

  • CAPEC-224: Fingerprinting: An adversary compares output from a target system to known indicators that uniquely identify specific details about the target.

  • CWE-651: Exposure of WSDL File Containing Sensitive Information: The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g., what parameters they expect and what types they return).