Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

How can I perform security tests on Soap web services that use WSS with Keystore

Tejo | Last updated: Aug 24, 2018 04:26PM UTC

My webservice under test use encrypted and decrypted way to send the request and receive the request. This is performed via public and private keys embedded in the .JKS file. The request works fine for Incoming and outgoing WSS configurations in SOAP UI. Now how can I can extend this to use in BURP. Please suggest the way how I can add the keystore to make the encryption and decryption successful and how to verify the security of the web services? I have tried intercepting the request through SOAP UI via proxy in BURP. The requests & responses I see in BURP Raw request/responses come as encrypted, but not the plain requests/responses. Need your guidance here. Thanks, Tejo.

PortSwigger Agent | Last updated: Aug 29, 2018 10:41AM UTC

Unfortunately, Burp does not have support for WS-Security, so you can't use Burp to see inside the encrypted messages. This would be a really cool extension if someone was to develop it. Probably relatively easy to do by leveraging a library like WSS4J.

Burp User | Last updated: Aug 29, 2018 01:50PM UTC

Thank you Paul for the response.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.