SoapUI configuration with BurpSuite certificate
I am going to cover the below topics
- SoapUI tool and Burp Suite configuration
- Generating a Burp certificate that is compatible with Soap UI tool
- Installing the Burp Suite certificate at SoapUI tool level
- Installing the Burp Suite certificate at SoapUI project level
- Installing the Burp Suite certificate at SoapUI test case level
SoapUI tool and Burp Suite configuration
As we all know SOAP-UI is an API testing tool, wherein we can test both SOAP-APIs and REST-APIs. On the other hand, BurpSuite is an interception proxy. Mainly used for penetration testing of Web Application (thin client), Standalone application (thick clients), and APIs
Here I am not going to discuss the SOAP-UI tool, you can find the information about SOAP UI in the below link (official documentation) and I came across a very good tutorial on Udemy.com, sharing the link below
SOAP-UI is available in both commercial and free versions. The commercial version of the SOAP-UI tool is called SOAP-UI pro, very helpful in automation and the free version is SOAP-UI. Both can be downloaded from the below link. Here I will be using SOAP-UI free version (only)
SOUP-UI TOOL Download: https://www.soapui.org/downloads/soapui/
SOUP-UI Documentation: https://www.soapui.org/docs/soapui-projects/
Sample API for practice: http://www.dneonline.com/calculator.asmx?wsdl or you can find some sample on the internet (google)
BurpSuite is an interception proxy, which intercepts the request before going to the server. The hackers and security professionals take advantage of the request and response, to check the security vulnerabilities. Long story short, used in penetration testing/ bug bounty/ security testing engagement
BurpSuite is available in both free and commercial versions. There is only one format under the free version called community edition. But under the commercial version, BurpSuite offers professional edition and enterprise edition. BurpSuite professional edition is a standalone edition and the enterprise edition works something like client and server architecture, where agents do the jobs and push the result to the server. I will be using the BurpSuite community edition
Java Download and install: https://www.java.com/en/download/
BurpSuite Tool Download: https://portswigger.net/burp/communitydownload
BurpSuite Academy (for learning): https://portswigger.net/web-security (create a free account and log in)
Download the software from the above link and install (default installation is fine). However BurpSuite require java, Install java (set the java path) before installing BurpSuite
BurpSuite Configuration
1. Start the Burpsuite -> Proxy -> Options
1. Download the certificate
a. We require a certificate to capture HTTPS traffic
b. In SOAP-UI installing a burp is a little tricky, because SOAP-UI uses Keystore.
c. Below are the methods used to download and install the certificate
i. Download the certificate in Keystore format and give a password
ii. Follow the below image
a. Give a name and the password for the certification and download the certification. Follow the below image
a. The BurpSuite certificate will be downloaded
b. Now we need to configure the SOUP-UI with Burp Suite
SOAP-UI Configuration with BurpSuite
1. Open SOAP-UI tool -> preferences
2. In the new window, select proxy
3. In the right-hand pane. Select manual proxy and give the IP address and port number, which you configure in BurpSuite
4. The proxy icon is used to turn on and off the proxy
5. Follow the below image
1. Now you have configured the BurpSuite with the SOAP-UI tool
2. At this point you are good at testing the HTTP traffic, but when you try to test the HTTPS traffic. You will get an error that is similar to the one below
3. “ Error getting response; javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target “
4. Configure the downloaded BurpSuite certificate with SOAP-UI.
5. Follow the below steps
1. SOUP-UI -> Preferences
2. Click on SSL
3. Give the path for the downloaded burp certificate. Here in my case, I saved the file on desktop, with the name “burp”
4. Give the password, in my case its burp
5. Select required client authentication, check box
6. Follow the below image
1. Now you are good to test HTTPS traffic. Now you SOAP-UI and BurpSuite got configured with BurpSuite certificate
2. The certificate is set at the SOAP-UI level
Setting the certificate at the project level
0. For our testing purpose, I am using the calculator WSDL file
http://www.dneonline.com/calculator.asmx?wsdl
1. Click on the SOAP icon; it will open a new window
2. In the ProjectName: you can give anything; I gave Calculator
3. Initial WSDL: copy and paste the calculator WSDL from above
4. Click ok
0. SOAP-UI tool will load the calculator WSDL URL and you will see a window like below
0. Now you need to configure your BurpSuite certificate at the project level
1. Double click the calculator
2. Click WS-Security Configuration
3. Click Keystores
4. Click + button to add the certificate
5. It will prompt for the certificate location and password, click ok
6. Now we set the certificate at the project level
Setting the certificate at the test case level
1. To set the BurpSuite certificate at the test case level, first, you need to set the BurpSuite certificate at the tool level
2. Select the individual test case
3. Properties tab will open for that test case
a. Select SSL Keystore and select the BurpSuite certificate
b. Now you have set the Burp Suite certificate at the test case level
c. All done,
