Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

WebSocket API

Davide Tampellini Dec 20, 2018 09:05AM UTC

I'm dealing more and more with websockets: is there _any_ way to modify requests on the fly?
I'm not afraid of writing a custom extension or fiddle with scripting my own tools. FWIW, if you provide some guidance, I could create a free extension and publish it.


Paul Johnston Dec 20, 2018 09:58AM UTC Support Center agent

Unfortunately there is currently no API for extensions to work with WebSockets. This is a much requested feature and we’re like to work on it when Burp 2 is out of beta.

What exactly did you want to do? We’re capturing use cases to help us with the design of the feature in future.


Davide Tampellini Dec 22, 2018 06:54AM UTC
If possible stop and intercept the request to edit it on the fly.
I'm not an expert on this protocol, but I guess it's not possible to have something like the repeater and the intruder, right?

The ability to pass the incoming/outgoing request to an external program. In most cases the protocol used is custom developed, so that would solve all issues (and I think it would be easier to implement for you).

Burp does an amazing job stripping the encryption, but sadly we're stuck in the "read only" mode. Since most of the request are valid in a specific context, the ability to edit on the fly is a show stopper.

Sadly nowadays it seems that if you want to protect your application, you only need to use secure websockets :(

Please I'm willing to be the guinea pig for this feature, I'm currently reversing engineering a game protocol and when I'm done I'd wish to start fuzzing client/server communications. What I only need would be an API to hook before the request is sent or received, with the original data passed.
Then I'll do all the magic there.
Maybe the ability to redirect the traffic to another local port, so we can have long running process handling it?

Paul Johnston Dec 28, 2018 10:30AM UTC Support Center agent

Thanks for the suggestions and the offer to be a guinea pig. We’ll bear this in mind when we work on this in future. This is likely to be a little way down the line.


Davide Tampellini Dec 30, 2018 04:34PM UTC
FYI I went that extra mile and tweaked an existing proxy to be available to edit WebSocket requests on the fly, after chaining it as Upstream proxy.
Full details here: https://www.nc-lp.com/blog/edit-websocket-requests-with-burp

thekernel Jan 17, 2019 08:14PM UTC
My Use case:

I' testing a mobile app that speaks web sockets, the payloads are encrypted with a static key and IV found within the binary. I can decrypt the payloads manually to json but tampering and re encrypting is not straightforward.

I need the ability to write extensions to decrypt web socket requests/responses, turning them back in to JSON and presenting this in a new decoded tab next to the original.
I'd also want to be able to send them to intruder scanner etc and simply allow a match/replace on decrypted values before re-encrypting and sending on to the server.


Craig May 18, 2019 08:53AM UTC
Pleased to hear this will get your focus when 2.0 is out of beta. I'm testing a web app that makes heavy use of AWS IoT, so AWS signed MQTT requests via WebSockets.... There may well be a good reason why you haven't gone further with your WebSockets support - particularly exposing the stream via the extender APIs but it seems a notable gap.

Rose Krawczuk May 20, 2019 08:19AM UTC Support Center agent

Craig, we have this use case logged in our development backlog. The work is in this year’s road map.


plop Nov 07, 2019 04:02PM UTC
Hi burp team!
Any ETA on this feature ? Is it still on this year's road map ?
Web Sockets API seems to be a pretty essential feature.
Thanks.

Mike Eaton Nov 08, 2019 11:40AM UTC Support Center agent

Hi, Web Sockets have now been implemented in Repeater & Burp Proxy.

Unfortunately, we don’t have an ETA to provide functionality through the Extender API. As this is a requested feature it is on our long term roadmap so you should expect to see it in the future.


Post Your public answer

Your name
Your email address
Answer