The correct answer is D.
OBJ-3.3: An XML denial of service (or XML bomb) attempts to pull in entities recursively in a defined DTD and explode the amount of memory used by the system until a denial of service condition occurs. Service-Oriented Architecture (SOA) is an architectural paradigm, and it aims to achieve a loose coupling amongst interacting distributed systems. SOA is used by enterprises to efficiently and cost-effectively integrate heterogeneous systems. However, SOA is affected by several security vulnerabilities, affecting the speed of its deployment in organizations. SOA is most commonly vulnerable to an XML denial of service. While the other options could be used as part of an attack on SOAP, the SOAP message itself is formatted as an XML document making an XML denial of service the most common vulnerability. While SOAP requests are vulnerable to SQL injections, this occurs by submitting a parameter as a morphed SQL query that can authenticate or reveal sensitive information as an attack on the underlying SQL. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XPath Injections operate on websites that use user-supplied information to construct an XPath query for XML data.