SoapUI with Burp

In a recent project I tested a web service and we got a nice SoupUI project for it. SoupUI is a great tool but you somehow miss the nice features of Burp, such as the Intruder. But of course the idea comes immediately: why not to chain them? It turns out this is not as trivial as it seems for the first sight.

Although SoupUI has a built in proxy setting but it didn’t work for me. After Googling a little bit I found a great blog post about this exact problem here: http://ardsec.blogspot.de/2012/08/soapui-to-burp-fuzz-away.html.

The root cause of the problem is that it seems SoupUI ignores the proxy settings if the target service runs on HTTPS. I am sure the described solution works also fine but it seemed too complicated for me, so I tried a simpler one which works as well. It might be depending on the SoupUI version but in 4.5.1 it works just fine. So here it is:


1) Change the default Burp proxy to always use SSL (Proxy/Edit/Request Handling/Force use of SSL). This way Burp will forward the requests through SSL anyway.

2) Set up a proxy in SoupUI (File/Preferences/Proxy Settings/). Set the host and the port (I used 127.0.0.1:8008) then tick the ‘enable using proxy’ checkbox.

3) Change the URL of the request you are testing from HTTPS to HTTP.

With this solution the SoupUI proxy will properly work and the requests will be sent to Burp without SSL but Burp will force the SSL with the server so for the server everything will be the same.

6 Comments

  1. That looks useful and I’ll try it out next time. It certainly seems simpler than what I went through on my blog :)

  2. Great post and thanks for your solution.
    The soapUI bug in 4.5 is really annoying.
    If you are not willing to change the soapUI project for some reasons, you could use soapUI 4.0.x
    This version does not contain the proxy bug and should be sufficiant for most projects.

    Cheers

    /M

  3. geri

    April 7th, 2013 at 17:50

    Hi Sledge,

    thanks for the feedback, it is good to know that soapUI 4.0 works well. Usually I don’t use it so extensively so I can live without the 4.5 features.

  4. geri

    April 7th, 2013 at 17:52

    Yeah but anyways thanks for the initial idea :).

  5. Hi Geri,

    had the same problem and summarized “my” solution (in German):
    http://lists.owasp.org/pipermail/owasp-germany/2013-January/000460.html
    http://translate.google.com/translate?sl=de&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&eotf=1&u=http%3A%2F%2Flists.owasp.org%2Fpipermail%2Fowasp-germany%2F2013-January%2F000460.html

    I put the word “my” in quotes as one can figure from the thread that it is based from the feedback I collected.

    Thx,

    Dirk

    PS: You shpould include a noscript section in your blog

  6. geri

    June 12th, 2013 at 13:52

    Hi Dirk,

    great, thanks for the tip! I will make the noscript section as soon as I have some time, but thanks for the feedback anyways.

    Viele Gruesse,
    Geri

Comments are closed.

© 2017 Æther Security Lab

Theme by Anders NorenUp ↑