Secured Web Service testing with Burp Suite

After you have intercepted the request in Burp Suite, follow below steps to send request for secured web services

Sending Request to Repeater:

Right click under "Proxy"-->"Intercept"-->"Raw" tab

Click on option "Send to Repeater"

Goto Repeater tab. You will now be able to see the same request as intercepted over here also.

If the Web service is secured one; you will  have below details in SOAP header:

1. Username

2. Password in Digest mode (encrypted)

3. Nonce (Should be unique in each request)

4. Created date

For secured web service testing, you need to install WS-Security Extension from Burp Suite App store.

Steps for installation of WS-Security extension:

Goto "Extender" --> "BApp Store"

Navigate to "WS-Security" & install it.

Once installed , the extension will be seen as a new tab named "WS-Security"

Configuration of WS-Security:

Navigate to "WS-Security" tab

Provide the password in Plain text "Password" text box

Now click "Turn WS-Security on".

Configuration of Scope:

Goto "Target"--> "Scope"

Click on "Add" button

Provide the Web Service End Point URL

Configuring WS-Security details in request:

Now we need to configure below 3 details in "Extender" tab, so that the nonce, created date  & password digeest  can be done automatically by WS-Security extension.

Replace the password value in SOAP request with #WS-SecurityPasswordDigest

Replace the value in nonce tag with #WS-SecurityNonce

Replace the value in created tag with #WS-SecurityCreated

This will enable to dynamically change the values with the one configured in "WS-Security" tab while making the SOAP request.

Click on the "Send" button in under "Repeater" tab. 

You will see the reponse in right hand side. 

Web Service Testing with Burp Suite & SOAP UI

Installation of Burp Suite:

Pre-requisite:

Java 8 should be already installed.

Goto below link:

https://portswigger.net/burp/releases?initialTab=community

If you are using Java 8, then download the JAR version for release version 2020.2.Java 8 is no longer supported for version upper than this.

Start Burp Suite:

Goto windows command prompt.

Navigate to the folder where the JAR is downloaded.

Run the below command

java -jar burpsuite_community_v2020.2.1.jar

Intercepting request:

Once the Burp Suite is open, first step is to turn on interceptor.

Navigate to "Proxy" --> "Options" tab

By Default the Interceptor is hosted in 8080 port. This can be changed to port you want.

Check the status is "Running".

Now  Navigate to "Proxy"-->"Intercept" tab

Now turn on the Interceptor by clicking button "Intercept is on".

SOAP UI Proxy Configuration:

Download SOAP UI from below link:

https://www.soapui.org/downloads/soapui/soapui-os-older-versions/

Start SOAP UI.

Goto "Files"-->"Preferences"

Click on "Proxy Settings"

Select "Manual" option & provide Host "127.0.0.1" & Port as "8080" (same as Burp Suite interceptor port)

Now doing any SOAP request in SOAP UI will be intercepted in Burp Suite & will be shown in "Proxy"--> "Intecept"-->"Raw"

Concurrency In RxJava

RxJava achieves concurrency through the Schedulers. 

Most commonly used Schedulers are IO & Computation:

Schedulers.io : Used for IO bound tasks (e.g.network call or Database call.)

Schedulers.computation : Used for CPU bound tasks.  (e.g. sorting large array in Java code)

The difference of CPU bound Vs IO bound task:

In case of IO bound task, we can have more theads , than,  the no of CPU cores of running machine. Because CPU is idle when the IO operaion is called.

Whereas in case of CPU bound task, as it is purely computational (e.g. Performing sorting in Java ArrayList); hence we should avoid creating threads more than the no of CPU core in the running machine.

subscribeOn : runs the tasks in new thread (start to end)

observeOn  : threading is applied only on the downstram task. (Operations defined after observeOn call)

Example:

In below example, we have taken a String , then transform the String to uppercase  , then printed the value.

File Name: ObsSubsEx.java

import java.util.concurrent.TimeUnit;

import io.reactivex.Observable;

import io.reactivex.schedulers.Schedulers;

public class ObsSubsEx {

public static void main(String[] args) throws InterruptedException {

Observable.just("subscribeOn One").subscribeOn(Schedulers.computation()).map(ObsSubsEx::toUpper).subscribe(ObsSubsEx::printVal);

TimeUnit.SECONDS.sleep(1);

Observable.just("subscribeOn Two").map(ObsSubsEx::toUpper).subscribeOn(Schedulers.computation()).subscribe(ObsSubsEx::printVal);

TimeUnit.SECONDS.sleep(1);

Observable.just("observeOn").map(ObsSubsEx::toUpper).observeOn(Schedulers.computation()).subscribe(ObsSubsEx::printVal);

TimeUnit.SECONDS.sleep(1);

}

private static String toUpper(String val) {

System.out.println("Uppercase done on thread:"+Thread.currentThread().getName());

return val.toUpperCase();

}

private static void printVal(String val) {

System.out.println("Final value is:"+val+":Thread:"+Thread.currentThread().getName());

}

}

Let's see from output log how the flow works:

Uppercase done on thread:RxComputationThreadPool-1

Final value is:SUBSCRIBEON ONE:Thread:RxComputationThreadPool-1

Uppercase done on thread:RxComputationThreadPool-2

Final value is:SUBSCRIBEON TWO:Thread:RxComputationThreadPool-2

Uppercase done on thread:main

Final value is:OBSERVEON:Thread:RxComputationThreadPool-3

Conclusion:

As we can see, in case of subscribeOn , irrespective of where it is called, both methods toUpper & printVal runs in a seperate thread. i.e. Threading applies to all operation (upstream as well as downtream) 

Whereas in case of observeOn, toUpper  is running in "main" thread & printVal  runs in a seperate thread, as we have called observeOn after the transform. i.e. Threading applied to downstream operations.

Now if we call the observeOn before the map:

Observable.just("observeOn Two").observeOn(Schedulers.computation()).map(ObsSubsEx::toUpper).subscribe(ObsSubsEx::printVal);

Then we can see the methods run in a seperate thread

Uppercase done on thread:RxComputationThreadPool-4

Final value is:OBSERVEON TWO:Thread:RxComputationThreadPool-4

Further Reading:

https://medium.com/upday-devs/rxjava-subscribeon-vs-observeon-9af518ded53a

https://solidsoft.wordpress.com/2016/02/26/parallel-execution-of-blocking-tasks-with-rxjava-and-completable/

http://tomstechnicalblog.blogspot.com/2016/02/rxjava-understanding-observeon-and.html

https://www.aanandshekharroy.com/articles/2018-01/rxjava-flowables

https://proandroiddev.com/understanding-rxjava-subscribeon-and-observeon-744b0c6a41ea

https://dzone.com/articles/server-sent-events-with-rxjava-and-sseemitter

Code Link in Github:

https://github.com/souravdalal/rxjava-samples/tree/master/RxJavaExamples