(SM) Support Tip: How to use a proxy interceptor such as Burp to verify a security issue

(SM) Support Tip:  How to use a proxy interceptor such as Burp to verify a security issue like SQL Injection exists or doesn’t.


- Downloaded Burp from: https://portswigger.net/burp/download.html

- Once installed you’ll want to execute burpsuite_free_v1.7.03.jar

- Choose Temporary Project and click Next

- Click Start Burp

- Choose the Proxy tab -> Options

- You’ll want to click Edit on the Proxy Listeners and enter something such as the following:

See screenshot1.png


All other default settings are fine but you may have to scroll to Miscellaneous and select “Allow requests to web interface using fully qualified DNS host names”.

- Bring up a browser such as IE and select Tools->Internet Options->Connections->Lan Settings

- Set the proxy to what you configured in Step 6 and click OK->Ok.

See screenshot2.png

- Log into a Webtier SM client.

- Select Incident Management->Search Incidents->Click Search Button so that a list of incidents appear.

- After clicking the Search button go back to your Burp client.

- Make sure you are on the Proxy->Intercept tab:

See screenshot3.png

- Click the “Intercept is off” button and the button will change to “Intecept is on” indicating it’s now intercepting requests.

- Go back to the SM webtier client and click the count records. You should have output like the following:

See screenshot4.png

In this example you can change the query to equal something else and click the Forward button to execute the command and continue to click forward to execute each request being sent to the server.

It will be ignored (has since been fixed) but you can see the messages being sent to Service Manager.