Oswe | Soapbx
Your standard Kali Linux tools aren't enough. You need:
| Tool | Purpose on SoapBX |
| :--- | :--- |
| Burp Suite Pro (Intruder) | Fuzzing SOAP action headers. |
| Python pycryptodome | Manually forging JWT tokens and XML signatures. |
| Java ysoserial | Generating deserialization payloads for Java RMI or Spring. |
| SOAP-UI / Postman | Browsing WSDL schemas visually. |
| Visual Studio Code (Java/PHP debug) | Dynamic analysis of the source code. |
While OffSec doesn't officially call the technique "SOAPBX" (I use it as a mnemonic), the exam requires a Systematic Observation And Procedural Breakdown of eXecution. Here is how the pros actually think during the exam.
A common question: "Is the SoapBX lab machine exactly the same as the OSWE exam machine?" soapbx oswe
The answer is no—but it is harder. OffSec rotates exam machines constantly. You will not see "SoapBX" on the exam. However, the concepts from SoapBX (JWT confusion, XML Signature Wrapping, SOAP action injection, Java deserialization) appear in every single OSWE exam. If you can root SoapBX without looking at a write-up, you are ready to pass the OSWE.
Note: I assume you mean SoapBXP (SOAPBox) in the context of OSWE (Offensive Security Web Expert) exam prep and web application exploitation; if you meant a different project, replace references accordingly.
The OSCP teaches you "Black Box" testing. You throw payloads at a wall and see what sticks. SQLmap, Nikto, Gobuster—you are guessing. Your standard Kali Linux tools aren't enough
The OSWE teaches you White Box (Source Code Analysis). You stop guessing. You know.
The OSWE mantra is simple: "If you have the source code, you have the vulnerability."
But finding a vulnerability in 50,000 lines of PHP, Java, or C# is like finding a needle in a stack of needles. That is where SOAPBX comes in. Students fear SoapBX because it moves away from
SOAPbx (often stylized as soapbx or SOAP Box) is an open-source project developed by NetSec Focus. It is a deliberately vulnerable web application designed to help students practice the specific skills required for the OSWE exam.
In the official OSWE lab environment, students encounter several application stacks. Among them, SoapBX is infamous. The name is a portmanteau—"SOAP" (Simple Object Access Protocol) and "BX" (likely shorthand for "Box" or "Exchange").
What is SoapBX? SoapBX is a purposely vulnerable web application that simulates a complex enterprise API gateway or a legacy SOAP-based web service. It is not a standard LAMP stack (Linux, Apache, MySQL, PHP) like the OSCP labs. Instead, SoapBX typically involves:
Students fear SoapBX because it moves away from simple SQL injection or XSS. It requires understanding business logic flaws and deserialization attacks.