Burp Analysis

In this section, we will learn how to analyze and manipulate data sent over WebSocket connections in Burp.

---

Inspecting Messages

WebSockets History Tab

Located within Proxy → WebSockets history

Features:

• Lists all WebSocket messages

• Filter to narrow down displayed messages

• Message data displayed at bottom

Column	Description
URL	WebSocket endpoint
Direction	To server / To client
Length	Message size
Time	Timestamp

---

Manipulating Messages

Intercept

Burp Intercept works for WebSocket messages just like HTTP requests:

• Enable Intercept

• Send/receive message via WebSocket

• Message is intercepted → manipulate before forwarding

Example: Manipulate echoed message so browser sees incorrect response.

Repeater

Send WebSocket messages to Burp Repeater:

• Set direction: To server or To client

• Replay messages

• Edit and send custom messages

• Inject messages from server to client without prior client message

Manipulating Handshake

1. Send any WebSocket message to Repeater

2. Click disconnect/reconnect icon to manage connection

3. Click pencil icon for WebSocket connection overview

Options:

Action	Description
Attach	Use different WebSocket connection
Clone	Establish new connection to same server (allows handshake manipulation)
New WebSocket	Connect to different server

Handshake manipulation:

• Inject new HTTP headers

• Change existing headers

• Modify endpoint path

---

Question Walkthrough

Task: Manipulate WebSocket traffic to obtain the flag.

Source Code Analysis

Download and analyze:

wget https://academy.hackthebox.com/storage/modules/231/src_websocket_intro.zip
unzip src_websocket_intro.zip -d src_websocket_intro

In server.py:

admin_info = open('/flag.txt').read()

@sock.route('/admin')
def admin(sock):
    while True:
        data = sock.receive(timeout=1)
        if data == '!get_admin_info':
            sock.send(admin_info)

Key finding: /admin endpoint responds with flag when receiving !get_admin_info

Method 1: Burp Repeater

1. Open Burp browser, navigate to target

2. Send any message to establish WebSocket connection

3. Go to WebSockets history tab

4. Send WebSocket message to Repeater

5. Click Select WebSocket → Clone

6. Edit endpoint from /echo to /admin

7. Connect

8. Send message: !get_admin_info

9. Flag returned in response!

Method 2: websocat (CLI)

Install websocat:

wget https://github.com/vi/websocat/releases/download/v1.11.0/websocat_max.x86_64-unknown-linux-musl
chmod +x websocat_max.x86_64-unknown-linux-musl

Send message:

echo -n '!get_admin_info' | ./websocat_max.x86_64-unknown-linux-musl -q ws://<TARGET_IP>:<PORT>/admin

---

Summary

┌─────────────────────────────────────────────────────────────────────────┐
│                    Burp WebSocket Capabilities                          │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                         │
│  Inspection:                                                           │
│  └── WebSockets history tab (Proxy)                                    │
│  └── View all messages and metadata                                    │
│                                                                         │
│  Manipulation:                                                         │
│  └── Intercept → modify messages in transit                            │
│  └── Repeater → replay, edit, inject messages                          │
│  └── Change direction (To server / To client)                          │
│                                                                         │
│  Connection Management:                                                │
│  └── Disconnect/Reconnect                                              │
│  └── Clone → new connection with modified handshake                    │
│  └── New WebSocket → connect to different server                       │
│  └── Attach → switch to different connection                           │
│                                                                         │
└─────────────────────────────────────────────────────────────────────────┘