Burp Suite User Forum

Login to post

WebSocket API

Davide | Last updated: Dec 20, 2018 09:05AM UTC

I'm dealing more and more with websockets: is there _any_ way to modify requests on the fly? I'm not afraid of writing a custom extension or fiddle with scripting my own tools. FWIW, if you provide some guidance, I could create a free extension and publish it.

PortSwigger Agent | Last updated: Dec 20, 2018 09:55AM UTC

Unfortunately there is currently no API for extensions to work with WebSockets. This is a much requested feature and we're like to work on it when Burp 2 is out of beta. What exactly did you want to do? We're capturing use cases to help us with the design of the feature in future.

Burp User | Last updated: Dec 22, 2018 06:54AM UTC

If possible stop and intercept the request to edit it on the fly. I'm not an expert on this protocol, but I guess it's not possible to have something like the repeater and the intruder, right? The ability to pass the incoming/outgoing request to an external program. In most cases the protocol used is custom developed, so that would solve all issues (and I think it would be easier to implement for you). Burp does an amazing job stripping the encryption, but sadly we're stuck in the "read only" mode. Since most of the request are valid in a specific context, the ability to edit on the fly is a show stopper. Sadly nowadays it seems that if you want to protect your application, you only need to use secure websockets :( Please I'm willing to be the guinea pig for this feature, I'm currently reversing engineering a game protocol and when I'm done I'd wish to start fuzzing client/server communications. What I only need would be an API to hook before the request is sent or received, with the original data passed. Then I'll do all the magic there. Maybe the ability to redirect the traffic to another local port, so we can have long running process handling it?

PortSwigger Agent | Last updated: Dec 28, 2018 09:20AM UTC

Thanks for the suggestions and the offer to be a guinea pig. We'll bear this in mind when we work on this in future. This is likely to be a little way down the line.

Burp User | Last updated: Dec 30, 2018 04:34PM UTC

FYI I went that extra mile and tweaked an existing proxy to be available to edit WebSocket requests on the fly, after chaining it as Upstream proxy. Full details here: https://www.nc-lp.com/blog/edit-websocket-requests-with-burp

Rose, PortSwigger Agent | Last updated: Dec 31, 2018 09:14AM UTC

Craig, we have this use case logged in our development backlog. The work is in this year's road map.

Burp User | Last updated: Jan 17, 2019 08:14PM UTC

My Use case: I' testing a mobile app that speaks web sockets, the payloads are encrypted with a static key and IV found within the binary. I can decrypt the payloads manually to json but tampering and re encrypting is not straightforward. I need the ability to write extensions to decrypt web socket requests/responses, turning them back in to JSON and presenting this in a new decoded tab next to the original. I'd also want to be able to send them to intruder scanner etc and simply allow a match/replace on decrypted values before re-encrypting and sending on to the server.

Burp User | Last updated: May 18, 2019 08:53AM UTC

Pleased to hear this will get your focus when 2.0 is out of beta. I'm testing a web app that makes heavy use of AWS IoT, so AWS signed MQTT requests via WebSockets.... There may well be a good reason why you haven't gone further with your WebSockets support - particularly exposing the stream via the extender APIs but it seems a notable gap.

Mike, PortSwigger Agent | Last updated: Jul 17, 2019 09:15AM UTC

Hi, Web Sockets have now been implemented in Repeater & Burp Proxy. Unfortunately, we don't have an ETA to provide functionality through the Extender API. As this is a requested feature it is on our long term roadmap so you should expect to see it in the future.

Burp User | Last updated: Nov 07, 2019 04:02PM UTC

Hi burp team! Any ETA on this feature ? Is it still on this year's road map ? Web Sockets API seems to be a pretty essential feature. Thanks.

Burp User | Last updated: Dec 12, 2019 02:33PM UTC

My use case is a mobile app that compresses JSON communications over WS with its own algorithm. Writing a decoder is trivial, but currently there is no mechanism to add it into the WS history tab, similar to how JSON Beautifier plugin works.

Ben, PortSwigger Agent | Last updated: Dec 12, 2019 02:43PM UTC

Thank you for your feedback David. We will update this thread when we have some further information regarding this feature request.

Burp User | Last updated: Jan 30, 2020 12:19AM UTC

Just adding my +1 for requesting websocket Extender API functionality. Would love to extend the websocket proxy functionality with my own extenders. Thanks

Ashley | Last updated: Apr 22, 2020 02:14AM UTC

Another +1 from me - I've written a SignalR parser for testing Blazor apps, but can't find a way to integrate it into Burp without Extender API support.

Ben, PortSwigger Agent | Last updated: Apr 22, 2020 08:28AM UTC

Thanks for your feedback Ashley. As noted, we will update this thread when we have some further news to share.

You need to Log in to post a reply. Or register here, for free.