I'm dealing more and more with websockets: is there _any_ way to modify requests on the fly?
I'm not afraid of writing a custom extension or fiddle with scripting my own tools. FWIW, if you provide some guidance, I could create a free extension and publish it.
Unfortunately there is currently no API for extensions to work with WebSockets. This is a much requested feature and we’re like to work on it when Burp 2 is out of beta.
What exactly did you want to do? We’re capturing use cases to help us with the design of the feature in future.
I'm not an expert on this protocol, but I guess it's not possible to have something like the repeater and the intruder, right?
The ability to pass the incoming/outgoing request to an external program. In most cases the protocol used is custom developed, so that would solve all issues (and I think it would be easier to implement for you).
Burp does an amazing job stripping the encryption, but sadly we're stuck in the "read only" mode. Since most of the request are valid in a specific context, the ability to edit on the fly is a show stopper.
Sadly nowadays it seems that if you want to protect your application, you only need to use secure websockets :(
Please I'm willing to be the guinea pig for this feature, I'm currently reversing engineering a game protocol and when I'm done I'd wish to start fuzzing client/server communications. What I only need would be an API to hook before the request is sent or received, with the original data passed.
Then I'll do all the magic there.
Maybe the ability to redirect the traffic to another local port, so we can have long running process handling it?
Thanks for the suggestions and the offer to be a guinea pig. We’ll bear this in mind when we work on this in future. This is likely to be a little way down the line.
Full details here: https://www.nc-lp.com/blog/edit-websocket-requests-with-burp
I' testing a mobile app that speaks web sockets, the payloads are encrypted with a static key and IV found within the binary. I can decrypt the payloads manually to json but tampering and re encrypting is not straightforward.
I need the ability to write extensions to decrypt web socket requests/responses, turning them back in to JSON and presenting this in a new decoded tab next to the original.
I'd also want to be able to send them to intruder scanner etc and simply allow a match/replace on decrypted values before re-encrypting and sending on to the server.
Craig, we have this use case logged in our development backlog. The work is in this year’s road map.