Professional Community

WebSocket Turbo Intruder

This extension enables advanced fuzzing of WebSocket messages using custom Python code. It provides two integrated tools for either launching scripted attacks or creating a middleware proxy for interacting with WebSocket connections via HTTP.

Features

  • Fuzz WebSocket messages using customizable Python scripts
  • Send custom WebSocket payloads with dynamic content replacement
  • Supports different WebSocket engines: Burp, Turbo, and Threaded
  • Optional HTTP middleware to route requests through WebSocket
  • Manual or programmatic control over connection configuration and message dispatch
  • Message logging with timestamp, direction, length, and comment support

Usage

Intruder Tool

  1. Right-click a WebSocket message and navigate to Extensions → WebSocket Turbo Intruder → Send to WebSocket Turbo Intruder.
  2. If part of the message is highlighted before sending, it will be replaced with %s in the payload.
  3. Select a template from the drop-down list.
  4. Edit the Python code to suit your testing logic.
  5. Start the attack to initiate a new WebSocket connection and send payloads.

Middleware Tool

  1. Right-click a WebSocket message and navigate to Extensions → WebSocket Turbo Intruder → Send to WebSocket HTTP Middleware.
  2. Click the Start button to launch the internal HTTP server.
  3. Each WebSocket connection creates an HTTP POST endpoint that forwards requests to the server.
  4. Select the desired HTTP server from the table, then use Burp tools to send HTTP requests to it.

Author

Author

Zakhar Fedotkin, PortSwigger, Hannah L, PortSwigger

Version

Version

2.0.0

Rating

Rating

Popularity

Popularity

Last updated

Last updated

06 August 2025

Estimated system impact

Estimated system impact

Overall impact: Empty

Memory
Empty
CPU
Empty
General
Empty
Scanner
Empty

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for all BApp Store extensions on our GitHub page.

Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore

Note:

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.