Pages

Wednesday, January 23, 2013

Using the Burp Suite to test a Web Service that is consumed in a Salesforce app

The following steps can be used to run the Burp Suite scanner against a Web service that is consumed in a Salesforce app via callouts.

The basic idea is to:

  1. import the Web Service WSDL into SOAP UI,
  2. configure SOAP UI to use the Burp Proxy,
  3. use SOAP UI to simulate the SOAP requests for typical use cases, This will require updating the sample requests generated in SOAP UI to represent those made from Salesforce under normal usage.
  4. select the requests to scan from the Burp Target, Site map tabs

Get a Burp Suite License

ISV partners can submit a Burp License Request.

Install and run Burp

I put the Burp jar file and license txt file in a directory and started it with the following in a batch file:

java -jar -Xmx1024m burpsuite_pro_v1.5.04.jar

See Also: Getting Started With Burp Suite

Configure Burp

Turn “Intercept” (Proxy->Intercept) off within Burp.

Configure SOAP UI to use the Burp Proxy

File > Preferences > Proxy Settings:

127.0.0.1:8080
You can find the Burp Proxy details Under Proxy > Options > Proxy Listeners

You may need to installed Burp's generated CA Certificate into the Trusted Root Certification Authorities tab if using SSL. See Installing Burp's CA Certificate. If not configured you get the following error message in Soap UI "Error getting response; javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated."

For SoapUI to pickup the new cert:

  1. Go to the path: C:\Program Files (x86)\SmartBear\SoapUI-5.0.0\jre\lib\security
  2. Export the Burp CA Certificate using Proxy > Options > CA certificate... > Export: Certificate in DER format.
  3. Use the Java keytool executable to import the certificate:
    "C:\Program Files (x86)\Java\jdk1.7.0_67\bin\keytool.exe" -import -alias burp -file "C:\WhereYouExportedTheDerCertificate\PortSwiggerCA.cer" -keystore cacerts
  4. The keystore password will be:
    changeit

Use SOAP UI to simulate the web requests that Salesforce would make to the web service

This will require you to update the sample requests that SOAP UI generates for each of the web methods with realistic request data. Try to mimic the calls that Salesforce will be making.

When the SOAP UI requests are submitted Burp will record them under the Target > Site map tab.

Start the Burp Scanner

Under the Target > Site map tab select the request nodes or host/branch that you want to scan. If it was a website you would usually do an "Spider this branch" at this point. Start the Scanner for the branches by selecting "Actively scan this branch".

Under the Scanner > Scan Queue tab the requests will appear and be processed. The output will start appearing under the Scanner > Results tab.

Export the Burp Scanner Results

Under the Scanner > Scan Queue tab select the results of interest then right click and select "Report selected issues"

The Printer-friendly version with hyperlinks works well for both screen reading and printing. Defaults can be used for the remaining steps. Ensure you save the report in a file with the ".html" extension.


See Also:

11 comments:

  1. Thanks for this. Do you know if you can use the free version of Burp Suite to test secure SOAP services? I am not getting Burp Suite to work with soapUI. I keep getting "ERROR:javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated", but it works if I do not use Burp Suite as a proxy.

    ReplyDelete
    Replies
    1. Sorry, I don't know. My only guess would be if your are using SSL it might not work with the proxy.

      Delete
    2. Finally got this working. It appears to be an issue with soapUI. I used the fix described here:

      http://www.thinkingsecure.com.au/2013/04/pentesting-soap-services-with-soapui.html

      Delete
    3. it is not resolved in soapUI 5.0.0. Please give me recompile jar file of that so that I can do that. Please help me ASAP.

      Delete
    4. Minkesh, you might have more success with this on the blog linked to from Robs reply. I haven't needed to do this myself.

      Delete
    5. ok. I have downloaded SoapUI pro 4.5.1 and with it it is not working. Can you please share soapUI 4.5.1 download link and I am trying the same which rob did. Let me see if it works.

      Delete
  2. Thanks for the post. I ran the tool and it reported me some errors. My question is do we have to fix all errors before submitting app for listing.

    ReplyDelete
    Replies
    1. You will either need to fix them or include a justification as to why they don't need to be fixed.

      Delete
  3. Thank you for the post. Well i am using amazon web service in my app. I make callouts the amazon webservice using my batch class. On visualforce page i donot have any callout.

    I did my Force.com security scan, but while burp Salesforce say i need to do scan non-force.com component. I am not sure how to do same because the callout is from batch class which is asynchronous.

    Could you help here?

    ReplyDelete
    Replies
    1. The process will be exactly the same for a batch Apex class. You need to identify the web service method you are calling and anything else that can be called against that web service.

      Delete
    2. Ok. So you mean i can run normal force.com security scan for the batch class.

      And as i am using the Rest web service of amazon, i can make those callout using curl or url which can be intercepted through Burp. And provide a consolidated Burp Report for both(Curl and one Visualforce Page) the scan. I am right here?

      I am really stuck here from around 3 weeks. Your help here will be appreciated.

      Delete