Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Secure websocket requirements?

gibbers | Last updated: Jun 30, 2016 10:21PM UTC

While googling around for information, I found a blurb for a search result stating "Burp Suite v1.5.21 released, with WebSockets support, new nested scan .... or HTTP Auth header is required for successful wss:// upgrade." but the link goes to the tweet about the Burp Suite 1.5.21 release (https://twitter.com/burp_suite/status/428867963618217984). The tweet and the page it links to don't contain any additional information about what the other requirement could be. I'm also curious about how Burp tells the difference between a regular websocket connection and a secure one, but that's not super relevant to the question :P

PortSwigger Agent | Last updated: Jul 01, 2016 08:05AM UTC

The full release notes for the item you mentioned are here: http://releases.portswigger.net/2014/01/v1521.html I'm not quite clear what your question is in relation to WebSockets, sorry.

Burp User | Last updated: Jul 01, 2016 11:18AM UTC

Basically the blurb on google mentions some condition that has to be met in order to successfully upgrade a websocket connection to use TLS but doesn't say what it is. I was curious what that requirement was. In addition I was curious about how burp knows that it needs to perform a TLS handshake with a browser attempting to make a websocket connection.

PortSwigger Agent | Last updated: Jul 01, 2016 11:21AM UTC

This is what I believe happens ... The HTTPS handshake precedes the negotiation of the WebSocket. First SSL happens, then the HTTP exchange agrees to upgrade to a WebSocket, and from that point onwards the existing SSL-enabled connection is used for asynchronous exchange of WebSockets messages. There isn't any need to establish a new underlying connection (in relation to either TCP or SSL).

Burp User | Last updated: Jul 01, 2016 11:29AM UTC

So there's no requirement besides just "perform a tls handshake after the CONNECT request" and burp can just tell when a handshake happens?

PortSwigger Agent | Last updated: Jul 01, 2016 12:20PM UTC