After you have intercepted the request in Burp Suite, follow below steps to send request for secured web services
Sending Request to Repeater:
Right click under "Proxy"-->"Intercept"-->"Raw" tab
Click on option "Send to Repeater"
Goto Repeater tab. You will now be able to see the same request as intercepted over here also.
If the Web service is secured one; you will have below details in SOAP header:
1. Username
2. Password in Digest mode (encrypted)
3. Nonce (Should be unique in each request)
4. Created date
For secured web service testing, you need to install WS-Security Extension from Burp Suite App store.
Steps for installation of WS-Security extension:
Goto "Extender" --> "BApp Store"
Navigate to "WS-Security" & install it.
Once installed , the extension will be seen as a new tab named "WS-Security"
Configuration of WS-Security:
Navigate to "WS-Security" tab
Provide the password in Plain text "Password" text box
Now click "Turn WS-Security on".
Configuration of Scope:
Goto "Target"--> "Scope"
Click on "Add" button
Provide the Web Service End Point URL
Configuring WS-Security details in request:
Now we need to configure below 3 details in "Extender" tab, so that the nonce, created date & password digeest can be done automatically by WS-Security extension.
Replace the password value in SOAP request with #WS-SecurityPasswordDigest
Replace the value in nonce tag with #WS-SecurityNonce
Replace the value in created tag with #WS-SecurityCreated
This will enable to dynamically change the values with the one configured in "WS-Security" tab while making the SOAP request.
Click on the "Send" button in under "Repeater" tab.
You will see the reponse in right hand side.
No comments:
Post a Comment