In a recent project I tested a web service and we got a nice SoupUI project for it. SoupUI is a great tool but you somehow miss the nice features of Burp, such as the Intruder. But of course the idea comes immediately: why not to chain them? It turns out this is not as trivial as it seems for the first sight.
Although SoupUI has a built in proxy setting but it didn’t work for me. After Googling a little bit I found a great blog post about this exact problem here: http://ardsec.blogspot.de/2012/08/soapui-to-burp-fuzz-away.html.
The root cause of the problem is that it seems SoupUI ignores the proxy settings if the target service runs on HTTPS. I am sure the described solution works also fine but it seemed too complicated for me, so I tried a simpler one which works as well. It might be depending on the SoupUI version but in 4.5.1 it works just fine. So here it is:
1) Change the default Burp proxy to always use SSL (Proxy/Edit/Request Handling/Force use of SSL). This way Burp will forward the requests through SSL anyway.
2) Set up a proxy in SoupUI (File/Preferences/Proxy Settings/). Set the host and the port (I used 127.0.0.1:8008) then tick the ‘enable using proxy’ checkbox.
3) Change the URL of the request you are testing from HTTPS to HTTP.
With this solution the SoupUI proxy will properly work and the requests will be sent to Burp without SSL but Burp will force the SSL with the server so for the server everything will be the same.