Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

websockets 'Send to' repeater & intruder

scott | Last updated: Jul 30, 2015 10:56PM UTC

More and more of the Web apps I am pen-testing rely on Websockets for their main communication channel, and vector for XSS/sql-injection/CSRF etc. This would be very helpful if the functionality existing that exists for normal HTTP requests.

PortSwigger Agent | Last updated: Jul 31, 2015 08:15AM UTC

Thanks for this. We have this feature request captured in our backlog. Agreed, it would be great to have more testing capabilities around WebSockets. We can't currently provide an ETA for this feature, sorry.

PortSwigger Agent | Last updated: Feb 19, 2016 09:48AM UTC

Not as yet, sorry.

Burp User | Last updated: Apr 03, 2017 11:22AM UTC

Hi! Any updates in this feature?

Burp User | Last updated: May 04, 2017 02:01PM UTC

+1, would be very helpful. Websockets are on the rise!

Liam, PortSwigger Agent | Last updated: May 04, 2017 03:25PM UTC

We have this request logged in our near term backlog. However, we can't currently provide an ETA.

Burp User | Last updated: Sep 12, 2017 09:13AM UTC

Hi! This is extremely necessary feature! what are the difficulties for developing this? P.S. I love BurpSuite!

Burp User | Last updated: Sep 20, 2017 06:44PM UTC

+1 I'd love to have this feature.

PortSwigger Agent | Last updated: Sep 22, 2017 09:01AM UTC

Hi, Thanks for the feedback on this. I agree, this is an area we need to improve on. We are beginning to spec out the features we want to provide and hope to have something released in the coming months.

Burp User | Last updated: Oct 07, 2017 07:00AM UTC

Dear Portswigger team, Websockets testing through features such as repeater and intruder are a must have. We test websockets and are moving to other tools than Burp to satisfy our needs on that specific point. You really should provide some visibility regarding this. Thanks.

Burp User | Last updated: Oct 16, 2017 09:37AM UTC

Hi Nbvdt, What are you currently using to test websockets? Is there any burp plugin that might help here? Roel

PortSwigger Agent | Last updated: Oct 16, 2017 09:51AM UTC

Hi Homer, We have written the spec for Web Sockets support, but there's been no progress implementing it. The developers are very busy on a number of other stories just now.

Burp User | Last updated: Jan 16, 2018 09:22PM UTC

Same here. This has become a pretty essential feature. I currently need to use other tools for my testings.

Burp User | Last updated: Feb 27, 2018 01:49PM UTC

Unbelievable that this thread was created in 2015. It's 2018 and there's still no ability to add websocket requests to repeater or intruder. Guys, wake up.

Burp User | Last updated: Mar 03, 2018 12:11PM UTC

Indeed, same here. Really need it

Burp User | Last updated: Apr 23, 2018 05:37PM UTC

This feature really need :( Please, make it asap.

Burp User | Last updated: May 03, 2018 12:17PM UTC

Hi, We'd like to add to this request, too. @Paul Johnston what is the current status? Is there anything beta we might be able to try out?

Burp User | Last updated: Aug 20, 2018 04:55PM UTC

FYI, for anyone who needs this; ZAP supports this functionality and is a good work around until Burp Officially supports this. You can even fuzz stuff.

Liam, PortSwigger Agent | Last updated: Aug 22, 2018 07:54AM UTC

We released WebSockets for Repeater in Burp Suite Pro v2.1.01.

Burp User | Last updated: Nov 26, 2019 05:50PM UTC

What about Intruder ?

Liam, PortSwigger Agent | Last updated: Nov 27, 2019 08:59AM UTC

We have plans to review this functionality as part of next years roadmap.

Andrei | Last updated: Jul 01, 2021 04:17PM UTC

Hi, Was wondering if there is any update on this. I tried Burp Community Edition and couldn't find a way to send a websocket message to the Intruder. Has this been implemented and if not do you have any idea when it will be? Cheers, Andrei

Michelle, PortSwigger Agent | Last updated: Jul 02, 2021 01:43PM UTC

Thanks for your message. This hasn't been implemented yet but is still on the list. I'm afraid I don't have any timescales for it at the moment. I've added an extra vote to the feature request for you so I'll post back here when there are any updates.

jAMES | Last updated: Mar 04, 2022 03:57AM UTC

Add another vote... The repeater is good, but what we really need is Intruder.

Michelle, PortSwigger Agent | Last updated: Mar 04, 2022 07:52AM UTC

Your vote has been added too :)

employee427 | Last updated: Mar 04, 2022 09:35AM UTC

Hi, I'm a new user to Burp Suite (got my license today) and I immediately noticed the lack of this important feature. Given the current app i'm looking at is performing it's authentication through websocket- Sending websocket messages through the Intruder I believe it's a MUST HAVE FEATURE for 2022. +1 Vote

Michelle, PortSwigger Agent | Last updated: Mar 04, 2022 09:46AM UTC

Thanks for the feedback, we'll pass that on and add your interest.

Colin | Last updated: Mar 30, 2022 03:47PM UTC

Yikes, 7 years and this feature is still not possible to send WS messages to intruder :(

Noam | Last updated: Apr 11, 2022 07:54PM UTC

2,447 days from initial post. Portswigger, as you know- A lot of modern applications rely greatly on web sockets. Kindly post an update about the plans of implementing a feature similar to that. I think we can all agree that Burp will be more complete if we could alter and intrude web sockets on-the-fly.

Michelle, PortSwigger Agent | Last updated: Apr 14, 2022 01:43PM UTC

Hi both. We'll check with the team and be in touch.

Michelle, PortSwigger Agent | Last updated: Apr 20, 2022 12:21PM UTC

Hi We've been chatting to the team, we don't have any precise timescales for this one I'm afraid but it is still on our list to be done.

Colin | Last updated: Jun 06, 2023 07:58AM UTC

Hi Michelle, Another year has come and gone. Any update if this feature will ever make it to Burp?

Michelle, PortSwigger Agent | Last updated: Jun 06, 2023 12:39PM UTC

I'm afraid I still can't give any timescales but we're not forgetting about this one, it is still on the list.

Hopeforthebest | Last updated: Aug 21, 2023 01:09PM UTC

Coming back here on my bi-annual check of "this issue is on the roadmap since 2015" but we don't care and prefer to release slower, chunkier versions of BurpSuite every year. For reference : https://twitter.com/Jhaddix/status/1681757326431371264?s=20 As mentionned earlier in the thread, OWASP ZAP allows this since at least 2013 : -> https://digi.ninja/blog/zap_fuzzing.php Really hope to see some changes as the licenses get more and more expensive each year and as the overall quality decreases.

Dominyque, PortSwigger Agent | Last updated: Aug 21, 2023 01:56PM UTC

Hi Unfortunately, we still are not able to give an ETA on this functionality.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.