search

silentsignal / burp-piper

Piper Burp Suite Extender plugin
https://blog.silentsignal.eu/2020/03/27/unix-style-approach-to-web-application-testing/
GNU General Public License v3.0
112 stars 12 forks source link

Support for Websockets #31

Open dafta opened 1 year ago

dafta commented 1 year ago

It would be great if Websocket support was added to this plugin. Just an ability to apply scripts to Websockets in addition to HTTP requests and responses. I regularly encounter Websockets with, for example, JSON with escaped quotes (\") which then can't be prettified by Burp, and being able to script around that would be a major benefit of the plugin.

dnet commented 1 year ago

Unfortunately, Websocket is off-limits for Burp extensions right now.

dafta commented 1 year ago

That's unfortunate. Thank you for your response.

v-p-b commented 1 year ago

I can see some positive progress in the new Montoya API: https://github.com/PortSwigger/burp-extensions-montoya-api/tree/main/api/src/main/java/burp/api/montoya/websocket

dafta commented 1 year ago

Yesterday's release of burp added the Montoya API, which apparently supports Websockets, at least according to the JavaDocs. I don't know if it's in a usable state right now, but it's probably something to look into.

This might require a refactor of the plugin on the new API, though.

dnet commented 1 year ago

I can see some positive progress in the new Montoya API: https://github.com/PortSwigger/burp-extensions-montoya-api/tree/main/api/src/main/java/burp/api/montoya/websocket

Unfortunately all I can see in the linked parts is a single entry point where you can register handlers by invoking WebSockets.registerWebSocketCreationHandler() and the rest of the classes in the namespace are the interface the handler itself needs to implement and the related interfaces implemented by instances passed from Burp to the Extension.

There's also WebSocketCreationHandler which refers to WebSockets.registerWebSocketCreationHandler yet that method doesn't even exist yet, so I have a feeling that even though the commit that brought these in says RELEASE this is still moving ground, so there's hope that maybe a MessageViewer-like interface might happen. But right now it seems that using this functionality to build something like what Piper does with HTTP messages would require a massive parallel reimplementation of the Burp WebSocket message GUI.

v-p-b commented 1 year ago

Montoya just got a Websocket facelift:

Announcement: https://portswigger.net/burp/releases/professional-community-2023-2-3

Relevant API docs: