Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Secure websocket requirements?

gibbers | Last updated: Jun 30, 2016 10:21PM UTC

While googling around for information, I found a blurb for a search result stating "Burp Suite v1.5.21 released, with WebSockets support, new nested scan .... or HTTP Auth header is required for successful wss:// upgrade." but the link goes to the tweet about the Burp Suite 1.5.21 release (https://twitter.com/burp_suite/status/428867963618217984). The tweet and the page it links to don't contain any additional information about what the other requirement could be. I'm also curious about how Burp tells the difference between a regular websocket connection and a secure one, but that's not super relevant to the question :P

PortSwigger Agent | Last updated: Jul 01, 2016 08:05AM UTC

The full release notes for the item you mentioned are here: http://releases.portswigger.net/2014/01/v1521.html I'm not quite clear what your question is in relation to WebSockets, sorry.

Burp User | Last updated: Jul 01, 2016 11:18AM UTC

Basically the blurb on google mentions some condition that has to be met in order to successfully upgrade a websocket connection to use TLS but doesn't say what it is. I was curious what that requirement was. In addition I was curious about how burp knows that it needs to perform a TLS handshake with a browser attempting to make a websocket connection.

PortSwigger Agent | Last updated: Jul 01, 2016 11:21AM UTC

This is what I believe happens ... The HTTPS handshake precedes the negotiation of the WebSocket. First SSL happens, then the HTTP exchange agrees to upgrade to a WebSocket, and from that point onwards the existing SSL-enabled connection is used for asynchronous exchange of WebSockets messages. There isn't any need to establish a new underlying connection (in relation to either TCP or SSL).

Burp User | Last updated: Jul 01, 2016 11:29AM UTC

So there's no requirement besides just "perform a tls handshake after the CONNECT request" and burp can just tell when a handshake happens?

PortSwigger Agent | Last updated: Jul 01, 2016 12:20PM UTC

That's what I believe is the case.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.