Recently I was trying to test a web service. The traffic was over SSL/TLS and everything was fine. As I am better with Burp than SoapUI, I wanted to use Burp as a proxy for SoapUI. This should be an easy matter. Burp will create a custom certificate (signed by its root CA) for each site and effectively Man-in-the-Middle the connection. But this time it was different, I was getting the dreaded
Peer not Authenticated
error. This meant that SoapUI did not recognize Burp's custom certificate.In Burp, select the 'Options' tab and scroll down to the 'Client SSL Certificates' section and select 'Add'. Select the certificate type, either File (PKCS#12) or Hardware token/Smart card (PKCS#11). Also you can specify a specific destination host or leave that part blank to apply to all hosts. If you want to intercept SSL traffic, you'll need to install the burp CA cert. See the burp docs for details. Burp Proxy generates its own self-signed certificate for each instance. In order to get a copy of your Burp CA certificate, browse to 127.0.0.1:8080 (or wherever your Burp Proxy instance is running). Once there, you’ll see the screen below. In the screen above, click on CA certificate in the top right corner. Unrecognized SSL message, plaintext connection? I have the certificate installed on the system, and I am able to intercept the traffic, however when the traffic is intercepted the user can no longer get forwarded to the site (using google.com or duckduckgo.com ) it will just hang instead of forward the user.
Burp Ssl Scanner
SSL Scanner - This extension enables Burp to scan for SSL vulnerabilities. Secret Finder (beta v0.1) - A Burp Suite extension to help pentesters to discover a apikeys,accesstokens and more sensitive data using a regular expressions.
I Googled and found some solutions such as adding Burp's CA to my certificate store (already done), adding it to SoapUI's keystore (didn't work) or using custom versions of SoapUI created for exactly this reason (again didn't work).
After a suitably long period of weeping and gnashing of teeth I achieved salvation.
![Certificates Certificates](/uploads/1/3/7/1/137177567/306378416.png)
Here's how to do it:
![Burp Burp](/uploads/1/3/7/1/137177567/308713304.jpg)
Burp Ssl Error
- Set Burp as proxy for SoapUI.
In SoapUI go toFile > Preferences > Proxy Settings
. - Best audio driver for ableton. Modify target address to http from https
- 2.a. In SoapUI, modify the
Service Endpoint.
Changehttps://example.com
tohttp://example.com
.
Or - 2.b. Modify the WSDL and change
wsdl:address location
similarly and import it into SoapUI. - Edit Burp's listener and check
Force use of SSL
underRequest Handling.
Notice that theRedirect to port
input field will be automatically populated with 443. If your service endpoint is using a different port, modify that accordingly. - Now you can send requests from SoapUI and intercept them in Burp. Responses will appear in both SoapUI and Burp like any proxied application.
- Be sure to remove the
Force use of SSL
after you are done. Otherwise you will be wondering why gmail is available under http in your browser (likemesomeone I know).