Open dafta opened 1 year ago
Unfortunately, Websocket is off-limits for Burp extensions right now.
That's unfortunate. Thank you for your response.
I can see some positive progress in the new Montoya API: https://github.com/PortSwigger/burp-extensions-montoya-api/tree/main/api/src/main/java/burp/api/montoya/websocket
Yesterday's release of burp added the Montoya API, which apparently supports Websockets, at least according to the JavaDocs. I don't know if it's in a usable state right now, but it's probably something to look into.
This might require a refactor of the plugin on the new API, though.
I can see some positive progress in the new Montoya API: https://github.com/PortSwigger/burp-extensions-montoya-api/tree/main/api/src/main/java/burp/api/montoya/websocket
Unfortunately all I can see in the linked parts is a single entry point where you can register handlers by invoking WebSockets.registerWebSocketCreationHandler()
and the rest of the classes in the namespace are the interface the handler itself needs to implement and the related interfaces implemented by instances passed from Burp to the Extension.
There's also WebSocketCreationHandler
which refers to WebSockets.registerWebSocketCreationHandler
yet that method doesn't even exist yet, so I have a feeling that even though the commit that brought these in says RELEASE
this is still moving ground, so there's hope that maybe a MessageViewer
-like interface might happen. But right now it seems that using this functionality to build something like what Piper does with HTTP messages would require a massive parallel reimplementation of the Burp WebSocket message GUI.
Montoya just got a Websocket facelift:
Announcement: https://portswigger.net/burp/releases/professional-community-2023-2-3
Relevant API docs:
It would be great if Websocket support was added to this plugin. Just an ability to apply scripts to Websockets in addition to HTTP requests and responses. I regularly encounter Websockets with, for example, JSON with escaped quotes (\") which then can't be prettified by Burp, and being able to script around that would be a major benefit of the plugin.