Manipulating WebSocket Traffic

Author	Published
Jon Marien	January 19, 2026

Definition

Finding WebSockets security vulnerabilities generally involves manipulating them in ways that the application doesn’t expect. You can do this using Burp Suite.

Burp Suite can:

• Intercept and modify WebSocket messages.
• Replay and generate new WebSocket messages.
• Manipulate WebSocket connections.

---

Intercepting and modifying WebSocket messages

Burp Proxy can intercept and modify WebSocket messages, as follows:

1. Open Burp’s browser.
2. Browse to the application function that uses WebSockets. You can determine that WebSockets are being used by using the application and looking for entries appearing in the WebSockets history tab within Burp Proxy.
3. In the Intercept tab of Burp Proxy, ensure that interception is turned on.
4. When a WebSocket message is sent from the browser or server, it will be displayed in the Intercept tab for you to view or modify. Press the Forward button to forward the message.

It is possible to configure the client-to-server or server-to-client messages are intercepted in Burp Proxy. This is achievable in the Settings dialog, in the WebSocket interception rules settings.

---

Replaying and generating new WebSocket messages

As well as intercepting and modifying WebSocket messages on the fly, you can replay individual messages and generate new messages. Via Burp Repeater:

• In Burp Proxy, select a message in the WebSockets history, or in the Intercept tab, and choose “Send to Repeater” from the context menu.
• In Burp Repeater, you can now edit the message that was selected, and send it over and over.
• You can enter a new message and send it in either direction, to the client or server.
• In the “History” panel within Burp Repeater, you can view the history of messages that have been transmitted over the WebSocket connection. This includes messages that you have generated in Burp Repeater, and also any that were generated by the browser or server via the same connection.

---

Manipulating WebSocket connections

As well as manipulating WebSocket messages, it is sometimes necessary to manipulate the WebSocket handshake that establishes the connection.

There are various situations in which manipulating the WebSocket handshake might be necessary:

• It can enable you to reach more attack surface.
• Some attacks might cause your connection to drop so you need to establish a new one.
• Tokens or other data in the original handshake request might be stale and need updating.

It is possible to manipulate the WebSocket handshake using Burp Repeater:

1. Send a WebSocket message to Burp Repeater as already described.
2. In Burp Repeater, click on the pencil icon next to the WebSocket URL. This opens a wizard that lets you attach to an existing connected WebSocket, clone a connected WebSocket, or reconnect to a disconnected WebSocket.
3. If you choose to clone a connected WebSocket or reconnect to a disconnected WebSocket, then the wizard will show full details of the WebSocket handshake request, which you can edit as required before the handshake is performed.
4. When you click “Connect”, Burp will attempt to carry out the configured handshake and display the result. If a new WebSocket connection was successfully established, you can then use this to send new messages in Burp Repeater.

---