Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
184 views

(SM) Support Tip: How to use a proxy interceptor such as Burp to verify a security issue

(SM) Support Tip:  How to use a proxy interceptor such as Burp to verify a security issue like SQL Injection exists or doesn’t.

How-To:

- Downloaded Burp from: https://portswigger.net/burp/download.html

- Once installed you’ll want to execute burpsuite_free_v1.7.03.jar

- Choose Temporary Project and click Next

- Click Start Burp

- Choose the Proxy tab -> Options

- You’ll want to click Edit on the Proxy Listeners and enter something such as the following:

See screenshot1.png

 

All other default settings are fine but you may have to scroll to Miscellaneous and select “Allow requests to web interface using fully qualified DNS host names”.

- Bring up a browser such as IE and select Tools->Internet Options->Connections->Lan Settings

- Set the proxy to what you configured in Step 6 and click OK->Ok.

See screenshot2.png

- Log into a Webtier SM client.

- Select Incident Management->Search Incidents->Click Search Button so that a list of incidents appear.

- After clicking the Search button go back to your Burp client.

- Make sure you are on the Proxy->Intercept tab:

See screenshot3.png

- Click the “Intercept is off” button and the button will change to “Intecept is on” indicating it’s now intercepting requests.

- Go back to the SM webtier client and click the count records. You should have output like the following:

See screenshot4.png

In this example you can change the query to equal something else and click the Forward button to execute the command and continue to click forward to execute each request being sent to the server.

It will be ignored (has since been fixed) but you can see the messages being sent to Service Manager.

Labels (1)
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.