0

I have a j2ee application that can be intercepted by burpsuite and get the parameters in the request, so I configured tomcat and changed the publishing mode from HTTPS, but it can still be intercepted by burpsuite.How do I harden the system to avoid being intercepted by burpsuite in the clear text parameters of the transport?

Changes to tomcat\conf\server.xml 

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
    disableUploadTimeout="true" enableLookups="false" maxThreads="25"
    port="443" keystoreFile="D:/tools/apache-tomcat-6.0.53/.keystore" keystorePass="password"
    protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
    secure="true" sslProtocol="TLS" />

Changes to tomcat\conf\web.xml

<login-config>  
        <auth-method>CLIENT-CERT</auth-method>  
        <realm-name>Client Cert Users-only Area</realm-name>  
    </login-config> 
    <security-constraint>  
        <web-resource-collection >  
            <web-resource-name >SSL</web-resource-name>  
            <url-pattern>/*</url-pattern>  
        </web-resource-collection>  
        <user-data-constraint>  
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>  
        </user-data-constraint>  
    </security-constraint>

burpsuite Intercept record enter image description here

NeoSkyWalker
  • 1
  • 3
  • This configuration means that the communications channel between your tomcat and the burpsuite is secure. If you want to ensure that the communication to your tomcat server is **your exact server** you need to make sure that your client checks that the certificate is the exact certificate that you have set. what is happening is that burpsuite is terminating the connection , and creating a new connection with it's own https certificate (most likely) – JoSSte Jan 30 '19 at 09:19
  • Yes, I created a private trust the certificate is issued by the ca and let the browser I published service, but burpsuite testing when using a proxy, will originally of communication between the browser and the server into a browser to burpsuite to server, look from the browser really burpsuite creates a connection and the connection of the certificate is burpsuite own, the browser will prompt is on a visit to a secure connection, that is to be able to play a role, but the browser users, if you click continue to visit Burpsuite can still intercept parameter plaintext. Any other solutions? – NeoSkyWalker Feb 01 '19 at 01:40
  • If one day burpsuite gets a highly trusted official certificate, will HTTPS become meaningless? – NeoSkyWalker Feb 01 '19 at 03:00

0 Answers0