burp-piper icon indicating copy to clipboard operation
burp-piper copied to clipboard

Published 20 hours ago verified publisher icon silentsignal

Support for Websockets

Open dafta opened this issue 3 years ago • 6 comments
trafficstars

It would be great if Websocket support was added to this plugin. Just an ability to apply scripts to Websockets in addition to HTTP requests and responses. I regularly encounter Websockets with, for example, JSON with escaped quotes (") which then can't be prettified by Burp, and being able to script around that would be a major benefit of the plugin.

dafta avatar Oct 28 '22 12:10 dafta

Unfortunately, Websocket is off-limits for Burp extensions right now.

dnet avatar Oct 28 '22 13:10 dnet

That's unfortunate. Thank you for your response.

dafta avatar Oct 28 '22 14:10 dafta

I can see some positive progress in the new Montoya API: https://github.com/PortSwigger/burp-extensions-montoya-api/tree/main/api/src/main/java/burp/api/montoya/websocket

v-p-b avatar Oct 28 '22 14:10 v-p-b

Yesterday's release of burp added the Montoya API, which apparently supports Websockets, at least according to the JavaDocs. I don't know if it's in a usable state right now, but it's probably something to look into.

This might require a refactor of the plugin on the new API, though.

dafta avatar Oct 28 '22 14:10 dafta

I can see some positive progress in the new Montoya API: https://github.com/PortSwigger/burp-extensions-montoya-api/tree/main/api/src/main/java/burp/api/montoya/websocket

Unfortunately all I can see in the linked parts is a single entry point where you can register handlers by invoking WebSockets.registerWebSocketCreationHandler() and the rest of the classes in the namespace are the interface the handler itself needs to implement and the related interfaces implemented by instances passed from Burp to the Extension.

There's also WebSocketCreationHandler which refers to WebSockets.registerWebSocketCreationHandler yet that method doesn't even exist yet, so I have a feeling that even though the commit that brought these in says RELEASE this is still moving ground, so there's hope that maybe a MessageViewer-like interface might happen. But right now it seems that using this functionality to build something like what Piper does with HTTP messages would require a massive parallel reimplementation of the Burp WebSocket message GUI.

dnet avatar Oct 29 '22 21:10 dnet

Montoya just got a Websocket facelift:

Announcement: https://portswigger.net/burp/releases/professional-community-2023-2-3

Relevant API docs:

  • https://portswigger.github.io/burp-extensions-montoya-api/javadoc/burp/api/montoya/websocket/WebSockets.html
  • https://portswigger.github.io/burp-extensions-montoya-api/javadoc/burp/api/montoya/proxy/Proxy.html

v-p-b avatar Mar 16 '23 14:03 v-p-b