我有一个j2ee应用程序,可以被burpsuite拦截并获取请求中的参数,因此我配置了tomcat并从HTTPS更改了发布模式,但是burpsuite仍然可以拦截它。如何将系统加固避免在传输的明文参数中被burpsuite拦截?
更改为tomcat \ conf \ server.xml
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="443" keystoreFile="D:/tools/apache-tomcat-6.0.53/.keystore" keystorePass="password"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS" />
更改为tomcat \ conf \ web.xml
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
burpsuite拦截记录 enter image description here
