How does one protect against this kind of attack? Routing Detour is a “man-in-the-middle” attack where XML content processors are injected to route sensitive information to an attacker-controlled outside location. Routing information (either in the HTTP header or in the WS-Routing header) can be modified while it is in transit, and traces of the routing can be removed from the header and message such that the receiving application is unaware that a Routing Detour has occurred.
Routing Detour attacks take advantage of the fact that the header and the insertion of header objects are often less protected than the message. The header is used as a catch all for metadata about the transaction such as authentication, routing, formatting, schema, canonicalization, namespaces, etc. Also, many processes may be involved in adding to and/or processing the header of an XML document. In many implementations, the routing info can come from an external web service (using WS-Referral for example) that provides the specific routing for the transaction.