ProfessionalCommunity Edition

Manipulating WebSocket messages with Burp Suite

  • Last updated: January 29, 2024

  • Read time: 1 Minute

Finding vulnerabilities in WebSockets generally involves manipulating messages in ways that the application doesn't expect. For example, if you can modify existing messages or create new ones you may be able to deliver SQL injection or cross-site scripting exploits.

This tutorial explains how to modify and resend WebSocket messages in Repeater. You can follow along with the steps below using the Manipulating WebSocket messages to exploit vulnerabilities Web Security Academy lab.

Steps

To modify and re-send WebSocket messages:

  1. Browse around your target application to map its attack surface.
  2. Go to Proxy > WebSockets history. This tab displays a table of any WebSocket messages that Burp's browser has exchanged with the target host.
  3. Right-click a message that you want to re-send or modify (for example, an outbound chat message) and select Send to Repeater. Burp creates a new WebSocket tab in Repeater.
  4. Go to Repeater, select the new tab, and click Send.
  5. Check the History panel to confirm that the message was re-sent.
  6. In the Send WebSocket message panel, modify the message. For example, you could send a proof-of-concept XSS attack at this point.
  7. Click Send again.
  8. Confirm that the modified message appears in the History panel as sent.

Was this article helpful?