Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

WebSocket API

Davide Tampellini Dec 20, 2018 09:05AM UTC

I'm dealing more and more with websockets: is there _any_ way to modify requests on the fly?
I'm not afraid of writing a custom extension or fiddle with scripting my own tools. FWIW, if you provide some guidance, I could create a free extension and publish it.

Paul Johnston Dec 20, 2018 09:58AM UTC Support Center agent

Unfortunately there is currently no API for extensions to work with WebSockets. This is a much requested feature and we’re like to work on it when Burp 2 is out of beta.

What exactly did you want to do? We’re capturing use cases to help us with the design of the feature in future.

Davide Tampellini Dec 22, 2018 06:54AM UTC
If possible stop and intercept the request to edit it on the fly.
I'm not an expert on this protocol, but I guess it's not possible to have something like the repeater and the intruder, right?

The ability to pass the incoming/outgoing request to an external program. In most cases the protocol used is custom developed, so that would solve all issues (and I think it would be easier to implement for you).

Burp does an amazing job stripping the encryption, but sadly we're stuck in the "read only" mode. Since most of the request are valid in a specific context, the ability to edit on the fly is a show stopper.

Sadly nowadays it seems that if you want to protect your application, you only need to use secure websockets :(

Please I'm willing to be the guinea pig for this feature, I'm currently reversing engineering a game protocol and when I'm done I'd wish to start fuzzing client/server communications. What I only need would be an API to hook before the request is sent or received, with the original data passed.
Then I'll do all the magic there.
Maybe the ability to redirect the traffic to another local port, so we can have long running process handling it?

Paul Johnston Dec 28, 2018 10:30AM UTC Support Center agent

Thanks for the suggestions and the offer to be a guinea pig. We’ll bear this in mind when we work on this in future. This is likely to be a little way down the line.

Davide Tampellini Dec 30, 2018 04:34PM UTC
FYI I went that extra mile and tweaked an existing proxy to be available to edit WebSocket requests on the fly, after chaining it as Upstream proxy.
Full details here:

thekernel Jan 17, 2019 08:14PM UTC
My Use case:

I' testing a mobile app that speaks web sockets, the payloads are encrypted with a static key and IV found within the binary. I can decrypt the payloads manually to json but tampering and re encrypting is not straightforward.

I need the ability to write extensions to decrypt web socket requests/responses, turning them back in to JSON and presenting this in a new decoded tab next to the original.
I'd also want to be able to send them to intruder scanner etc and simply allow a match/replace on decrypted values before re-encrypting and sending on to the server.

Post Your public answer

Your name
Your email address