SSL-Webservice Requests With Proxy Authentication In SoapUI

Leave a Comment

Issue: How can I send a webservice request over SSL in SoapUI with basic proxy authentication?

A few days ago I was confronted with a rather simple challenge: sending a request to an HTTPS webservice with SoapUI by SmartBear. But as you might have guessed, there’s a catch. While I’m inside the company network, my request has to run through the companys’ proxy. The preferences tab in SoapUI features a proxy configuration, which should be fairly easy to use. Despite of setting the proxy and credentials the proxy authentication fails. Using Wireshark I was able to determine a missing Proxy-Authorization Header in SSL requests. When using a webservice over HTTP, the Proxy-Authorization Header is set correctly. Checking the Preemptive Authentication box in SoapUIs preferences didn’t resolve this problem either. Unfortunately this seems to be a bug in SoapUI. With a little handiwork however, it’s possible to bypass this bug.

I was able to reproduce this error in SoapUI version 4.0.1, 5.0.0, 5.1.2 and 5.4.0

Prerequisites

When there’s no Proxy-Authorization Header provided inside of the request the proxy will ask for a NTLM authorization using challenge-response. To use Basic Authentication it’s possible to set the Proxy-Authorization Header manually – thus the authentication method will be sent to the proxy, before a challenge for NTLM is received. The value of the Header contains the method (Basic) as well as the credentials in base64 encoding. This string may be crafted by hand, but can also be obtained by sniffing another request (e.g. Browser, SFTP) with a tool like Wireshark. The Header will then be sent in HTTP webservice requests – but not when using HTTPS.

Proxy-Authorization Header in SoapUI
Proxy-Authorization Header in SoapUI

Step 1 – Fiddler On The Proof

One possiblity to bypass this behaviour when using HTTPS is to tamper with the data beeing sent, after a request is triggered in SoapUI. It’s quite easy to inject the Proxy-Authorization Header in outbound requests. There are some tools available for this operation – I chose Fiddler. An alternative when using NTLM might be CNTLM. After firing up Fiddler just hit Rules -> Customize Rules… or use the hotkey Control + R.

Adding Rules in Fiddler
Adding Rules in Fiddler

By now your texteditor should have opened, containing the file to configure. Search for following method:

static function OnBeforeRequest(oSession: Session) {

Within this function the Proxy-Authorization Header for outbound requests will be injected. I advise to use an if statement to limit the injection to requests for the URL in question:

if (oSession.HostnameIs("my.example.com")) {
    oSession.oRequest["Proxy-Authorization"] = "Basic ABCDE=";
}

Step 2 – Setting up SoapUI

Finally the request has to be routed through Fiddler. To achieve this, open the preferences in SoapUI, Proxy Settings and check Manual. Enter localhost as Host and 8888 as Port. Do not set any credentials, those are sent with the Proxy-Authorization Header.

SoapUI Proxy Preferences
SoapUI Proxy Preferences
8888 is the default port in Fiddler. To choose a different port or check the port set in Fiddler, click Tools -> Fiddler Options in Fiddler.

Now the Proxy-Authorization Header should be set correctly in your outbound request. If the called webservice features WS-Security, this has to be set separately in the soap request, of course.

Remember: Fiddler has to be running everytime you send a webservice request.

Leave a Reply

Your email address will not be published. Required fields are marked *