Burp Suite doesn't intercept HTTPS calls from Advanced Rest Client - rest

I'm using burp suite to intercept the calls that I do with the plugin Advanced Rest Client and with a sinatra application that is called by the Advanced Rest Client.
I've set it as proxy of my whole system, but still it intercepts only the calls by Chrome :(
Any idea?

The reason was that my requests were using OAuth and SSL, so they are not filtered by Burp Suite.

Related

Show traffic between web service and client

I have simple Jersey based web service running on TomCat 9. I do development in Eclipse IDE. Server and IDE are on the same windows machine. I'm using Postman utility to generate test requests.
I would like somehow to see all request/response traffic between service and postman. What is the best way to do that?
Postman will show you everything sent and received in the request (url, headers and content), but you can use a tool like Fiddler to view intercepted HTTP requests.
https://www.telerik.com/fiddler
The best way is to use Tomcat's Request Dumper Filter. It's the best in the sense you don't need anything more than what you already have.
If you do not insist on a eclipse integration you could use burp( https://portswigger.net/burp ).
In proxymode you can play "man in the middle" at your localhost and get every content.
You have just to setup burp as your proxy and you are done. You are also able to stop traffic etc. etc. This works for all kind of network traffic.
The tool is also available in a community edition.

How to use CORS with grails rest API?

I am developing Rest Api using grails. It is working on localhost:8080. when I am calling with POSTMAN it responded with json. I want to use this data and also perform CRUD operation on my web page which is running on other domain. When I am trying to call RESTAPI which is written in grails, the browser is not able to get a response due to Access-Control-Allow-Origin. So how to enable CORS functionality in my REST API, So anyone can access from a different domain.
If you are using Grails 3.2.1 or higher, it comes with CORS support built in.
In your application.yml, add the following:
grails:
cors:
enabled: true
See http://docs.grails.org/latest/guide/introduction.html#whatsNewCors for further details.

Restful Webservice SAP testing

Is there any way to test rest Webservices in SAP?
I know it's possible to test SOAP Webservices with eCATT but to do that a WSDL file is needed.
The Problem with rest Webservices is, there is no such WSDL file.
Thanks in advance.
I'm assuming from your question that you'd like to test the service from within your SAP system rather than by using an external tool.
If you have access to a system that has the Gateway components deployed, you can use the Gateway client (transaction code /IWFND/GW_CLIENT). It provides a very similar set of functionality to Postman, Paw, et al.
You can use some rest clients available on the browsers:
Postman -> Chrome
RESTClient -> Firefox
Futhermore, if you need a more robust client, you can use SoapUI. See this link.
You may use Fiddler.
Here is detailed instructions on how to test a web service (I know the instructions are for asp.net web services but the Fiddler part should work for any web services).

Authentication with CAS for rest service call

In our current setup we have about a dozen web applications that deploy to a single Tomcat server. One of these applications is CAS which is used for all authorization.
This works pretty well and in our jRuby web application we use the rubycas-client gem, point to CAS and we're done.
Now we have a requirements where, in a Java component, we need to be able to call out to another web application via a rest service that resides on the same server. My first thought was to use CAS proxy tickets but the web application we have to hit currently doesn't have this enabled and, due to the nature of the environment, this cannot be changed.
So as far as I can tell we're left trying to impersonate the user by using an iframe in our web application that points to the other one (we're all on the same domain and server) and scrape its sessionid for impersonation and pass it down to the Java layer. But I really, really don't want to do this.
Am I missing anything? Is there any better ways of doing this? Is there a way to get the sessionid without an iframe maybe?
Thanks!
If you want to call a web service from a web application using CAS identity, you certainly should use the CAS proxy feature.
If you can't cassify your web service, there is another option for you : you could use the Apache module for CAS : https://wiki.jasig.org/display/CASC/mod_auth_cas.

Exploring web service through WSDL that require authentication

I'm working with SOAP based web services that require authentication. I usually use the Eclipse Web Service explorer to explore the offered services but for the services requiring authentication, there does not seem to be an authentication option and I keep getting the 401 response.
I tried online clients as well. There is one at http://soapclient.com/soaptest.html but it also exhibits the same behavior.
When I try to access the web services through the browser I get the username/password prompt and it works.
I have also tried using https://username:password#webserviceURL. Again, this works in the browser but not in Eclipse or the online SoapClient utility.
Any ideas how I can get do this ?
It was pretty trivial in SoapUI.
I also found an online client that works with the http://username:password#webserviceURL pattern. Its at : http://tools.pointbeing.net/wsdlviewer