Verse Of The Day

Friday, January 19, 2007

HTTP Proxy - BURP Suite

As more and more of our development centers around integrating various systems, we find that troubleshooting issues gets more and more complicated. Instead of just walked through my own code with a debugger or examining log files, you have to involve other groups and application owners. Part of the hassle is convincing other people that there is a problem at all, let alone where the problem might lie. Complicate that with the fact that you may not have as much visibility into the whole transport layer as you might like.

I trace through all my code to the last point before it fails, and that is a call into the SOAP connector. So the request may or may not be getting to the target system OK. The SOAP requet you think you created and the one actually getting transmitted may be different.

Enter the BURP suite, a set of tools to act as an HTTP proxy and capture requests and responses. Now you know exactly what your app is spewing out and what the target system is responding (or not). It can be a simple proxy, showing you all the requests and responses, or you can intercept requests/responses, alter them, and forward that.

Below: Main screen

Below: Detail screen showing a particular request, your altered request, and the response, each in tabs. I did some censoring to take out specific server names and stuff.

There are also other tools in the suite, like spider, repeater, etc. but I mostly find the proxy and intercepter useful for troubleshooting and testing. This thing is definitely worth the free download, esp if you are doing any kind of web services type crap and dealing with less-than-cooperative developers from other teams or systems.

Below is a screenshot of the configuration screen for the proxy. You can configure exactly what to capture and automatically alter some header info, etc.

BTW - You can click on any of the pictures for a bigger view. Closeups aren't just for porn anymore.

No comments: