Burp Suite User Forum

Login to post

WebSocket API

Davide | Last updated: Dec 20, 2018 09:05AM UTC

I'm dealing more and more with websockets: is there _any_ way to modify requests on the fly? I'm not afraid of writing a custom extension or fiddle with scripting my own tools. FWIW, if you provide some guidance, I could create a free extension and publish it.

PortSwigger Agent | Last updated: Dec 20, 2018 09:55AM UTC

Unfortunately there is currently no API for extensions to work with WebSockets. This is a much requested feature and we're like to work on it when Burp 2 is out of beta. What exactly did you want to do? We're capturing use cases to help us with the design of the feature in future.

Burp User | Last updated: Dec 22, 2018 06:54AM UTC

If possible stop and intercept the request to edit it on the fly. I'm not an expert on this protocol, but I guess it's not possible to have something like the repeater and the intruder, right? The ability to pass the incoming/outgoing request to an external program. In most cases the protocol used is custom developed, so that would solve all issues (and I think it would be easier to implement for you). Burp does an amazing job stripping the encryption, but sadly we're stuck in the "read only" mode. Since most of the request are valid in a specific context, the ability to edit on the fly is a show stopper. Sadly nowadays it seems that if you want to protect your application, you only need to use secure websockets :( Please I'm willing to be the guinea pig for this feature, I'm currently reversing engineering a game protocol and when I'm done I'd wish to start fuzzing client/server communications. What I only need would be an API to hook before the request is sent or received, with the original data passed. Then I'll do all the magic there. Maybe the ability to redirect the traffic to another local port, so we can have long running process handling it?

PortSwigger Agent | Last updated: Dec 28, 2018 09:20AM UTC

Thanks for the suggestions and the offer to be a guinea pig. We'll bear this in mind when we work on this in future. This is likely to be a little way down the line.

Burp User | Last updated: Dec 30, 2018 04:34PM UTC

FYI I went that extra mile and tweaked an existing proxy to be available to edit WebSocket requests on the fly, after chaining it as Upstream proxy. Full details here: https://www.nc-lp.com/blog/edit-websocket-requests-with-burp

Rose, PortSwigger Agent | Last updated: Dec 31, 2018 09:14AM UTC

Craig, we have this use case logged in our development backlog. The work is in this year's road map.

Burp User | Last updated: Jan 17, 2019 08:14PM UTC

My Use case: I' testing a mobile app that speaks web sockets, the payloads are encrypted with a static key and IV found within the binary. I can decrypt the payloads manually to json but tampering and re encrypting is not straightforward. I need the ability to write extensions to decrypt web socket requests/responses, turning them back in to JSON and presenting this in a new decoded tab next to the original. I'd also want to be able to send them to intruder scanner etc and simply allow a match/replace on decrypted values before re-encrypting and sending on to the server.

Burp User | Last updated: May 18, 2019 08:53AM UTC

Pleased to hear this will get your focus when 2.0 is out of beta. I'm testing a web app that makes heavy use of AWS IoT, so AWS signed MQTT requests via WebSockets.... There may well be a good reason why you haven't gone further with your WebSockets support - particularly exposing the stream via the extender APIs but it seems a notable gap.

Mike, PortSwigger Agent | Last updated: Jul 17, 2019 09:15AM UTC

Hi, Web Sockets have now been implemented in Repeater & Burp Proxy. Unfortunately, we don't have an ETA to provide functionality through the Extender API. As this is a requested feature it is on our long term roadmap so you should expect to see it in the future.

Burp User | Last updated: Nov 07, 2019 04:02PM UTC

Hi burp team! Any ETA on this feature ? Is it still on this year's road map ? Web Sockets API seems to be a pretty essential feature. Thanks.

Burp User | Last updated: Dec 12, 2019 02:33PM UTC

My use case is a mobile app that compresses JSON communications over WS with its own algorithm. Writing a decoder is trivial, but currently there is no mechanism to add it into the WS history tab, similar to how JSON Beautifier plugin works.

Ben, PortSwigger Agent | Last updated: Dec 12, 2019 02:43PM UTC

Thank you for your feedback David. We will update this thread when we have some further information regarding this feature request.

Burp User | Last updated: Jan 30, 2020 12:19AM UTC

Just adding my +1 for requesting websocket Extender API functionality. Would love to extend the websocket proxy functionality with my own extenders. Thanks

Ashley | Last updated: Apr 22, 2020 02:14AM UTC

Another +1 from me - I've written a SignalR parser for testing Blazor apps, but can't find a way to integrate it into Burp without Extender API support.

Ben, PortSwigger Agent | Last updated: Apr 22, 2020 08:28AM UTC

Thanks for your feedback Ashley. As noted, we will update this thread when we have some further news to share.

Grzegorz | Last updated: Aug 30, 2020 07:37PM UTC

Hello, I've just got asp.net application that uses Blazor app where SignalIR with MessagePack protocol is used for communication via websocket for penetration testing. First thing that came up to my mind is let's do the MessagePack parser for websocket communication in Burp, but, apparently there is no API. Any chance this will change in near future? Thanks in advance.

Hannah, PortSwigger Agent | Last updated: Sep 01, 2020 09:43AM UTC

Hi Unfortunately, this functionality is still in our backlog. We are unable to provide an ETA due to the high number of feature requests we have. I've added your use-case information to help better prioritize this request.

Michal | Last updated: Oct 27, 2020 08:37AM UTC

The fact that Extender still does not support WebSockets is quite annoying. The solution seems to be as simple as adding processWebSocketsMessage() (or shorter processWSMessage()) to the IHttpListener interface. This feature request was opened almost 2 years ago. Is anyone working on this?

Hannah, PortSwigger Agent | Last updated: Oct 27, 2020 01:24PM UTC

Hi Michal Unfortunately, this request is still in our backlog. You can check out our roadmap for what we're currently working on here: https://portswigger.net/burp/pro/roadmap

Maxwell | Last updated: Jul 05, 2023 06:04PM UTC

Hey! Do we have any updates on this? It's been 2 and a half years since anything was posted on this. If so, I'd appreciate some links to documentation on writing extensions that can use websockets.

Hannah, PortSwigger Agent | Last updated: Jul 06, 2023 08:27AM UTC

Hi You can interact with WebSockets using our Montoya API. Documentation can be found here: - https://portswigger.github.io/burp-extensions-montoya-api/javadoc/burp/api/montoya/websocket/WebSockets.html - https://portswigger.net/burp/documentation/desktop/extensions/creating

You need to Log in to post a reply. Or register here, for free.