Piping SSL/TLS Traffic from SoapUI to Burp
source link: https://parsiya.net/blog/2014-06-25-piping-ssl/tls-traffic-from-soapui-to-burp/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Jun 25, 2014 - 2 minute read - Comments - Burp
Piping SSL/TLS Traffic from SoapUI to Burp
Recently I was trying to test a web service. The traffic was over SSL/TLS and everything was fine. As I am better with Burp than SoapUI, I wanted to use Burp as a proxy for SoapUI. This should be an easy matter. Burp will create a custom certificate (signed by its root CA) for each site and effectively Man-in-the-Middle the connection. But this time it was different, I was getting the dreaded Peer not Authenticated
error. This meant that SoapUI did not recognize Burp's custom certificate.
I Googled and found some solutions such as adding Burp's CA to my certificate store (already done), adding it to SoapUI's keystore (didn't work) or using custom versions of SoapUI created for exactly this reason (again didn't work).
After a suitably long period of weeping and gnashing of teeth I achieved salvation.
Here's how to do it:
Set Burp as proxy for SoapUI.
In SoapUI go toFile > Preferences > Proxy Settings
.Modify target address to http from https
2.a. In SoapUI, modify the
Service Endpoint.
Changehttps://example.com
tohttp://example.com
.
Or2.b. Modify the WSDL and change
wsdl:address location
similarly and import it into SoapUI.Edit Burp's listener and check
Force use of SSL
underRequest Handling.
Notice that theRedirect to port
input field will be automatically populated with 443. If your service endpoint is using a different port, modify that accordingly.Now you can send requests from SoapUI and intercept them in Burp. Responses will appear in both SoapUI and Burp like any proxied application.
Be sure to remove the
Force use of SSL
after you are done. Otherwise you will be wondering why gmail is available under http in your browser (like me someone I know).
Posted by Parsia Jun 25, 2014 Tags: SoapUI Proxy
Pasting Shellcode in GDB using Python Apple's Common Crypto Library Defaults to a Zero IV if One is not Provided
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK