I have a j2ee application that can be intercepted by burpsuite and get the parameters in the request, so I configured tomcat and changed the publishing mode from HTTPS, but it can still be intercepted by burpsuite.How do I harden the system to avoid being intercepted by burpsuite in the clear text parameters of the transport?
Changes to tomcat\conf\server.xml
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="443" keystoreFile="D:/tools/apache-tomcat-6.0.53/.keystore" keystorePass="password"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS" />
Changes to tomcat\conf\web.xml
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Aucun commentaire:
Enregistrer un commentaire