Burp Suite User Forum

Create new post

How to use intruder to make a dictionary attack against a login that uses websockets?

Abe | Last updated: Jan 27, 2016 09:47PM UTC

Typically if I wanted to use intruder to try and use common passwords to log in to an account I would take the following steps: 1) With site running through Burp Proxy I would make a login attempt 2) I would then find that request and send it to intruder 3) I would supply a list of common passwords to replace the password in the request and look for success indicator in the response. I am currently testing a Meteor.js application that uses sockets and I've noticed that when I make a login request (or any http request) it always responds with: "204 No Content". I am assuming that the response occurs through the web socket layer and not the HTTP layer, but i am at a loss as to how I would use intruder to check for success after making the request since the HTTP response is always the same. Can this be done? If so - can you give me any pointers on how to accomplish it?

PortSwigger Agent | Last updated: Jan 28, 2016 09:20AM UTC

There isn't currently any WebSockets support in Intruder. One possibility (which isn't ideal) would be to run the usual Intruder attack and just monitor WebSockets messages passing via the Proxy (assuming that connection is established before the attack), looking for success events.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.