WebSocket Proxy and Interception Tools
WebSocket proxy tools let you intercept, inspect, and modify WebSocket traffic between clients and servers. Unlike standard HTTP traffic, which follows a simple request-response pattern, WebSocket establishes a persistent, bidirectional connection. This fundamental difference means that traditional HTTP proxy tools need special handling to work with WebSocket protocols. After the initial HTTP handshake that upgrades the connection, the proxy must maintain an open connection and relay frames in both directions continuously, rather than simply capturing discrete request-response pairs.
Why WebSocket Proxying Is Different
HTTP proxies are designed around the request-response model. They intercept a client request, optionally modify it, forward it to the server, receive the response, optionally modify it, and return it to the client. Each transaction is discrete and stateful only for the duration of that exchange.
WebSocket connections start with an HTTP Upgrade request, but once the handshake completes, the connection becomes a long-lived, full-duplex channel. Both client and server can send messages at any time without waiting for a response. A websocket interceptor must handle this continuous stream of frames flowing in both directions simultaneously. The proxy needs to parse WebSocket frames (which have their own framing protocol with masking, opcodes, and fragmentation), maintain connection state, and relay messages without breaking the timing or sequence that the application expects.
This is why not all HTTP proxy tools support WebSocket traffic, and why those that do often required significant engineering effort to add WebSocket capabilities. Tools that were built primarily for HTTP must be extended to handle the stateful, persistent nature of WebSocket connections.
Comparison Table
| Tool | Type | WebSocket Support | Modify Messages | Free | Platform |
|---|---|---|---|---|---|
| Burp Suite Pro | Security Testing | Full (Proxy, Repeater, Extensions) | Yes | No | Windows, macOS, Linux |
| Burp Suite Community | Security Testing | Limited (view only) | No | Yes | Windows, macOS, Linux |
| OWASP ZAP | Security Testing | Full (with add-on) | Yes | Yes | Windows, macOS, Linux |
| mitmproxy | CLI Proxy | Full (with scripting) | Yes | Yes | Windows, macOS, Linux |
| Charles Proxy | GUI Proxy | View only (read-only in v4.6+) | Limited | No | Windows, macOS, Linux |
| Fiddler Classic | GUI Proxy | View only | Limited | Yes | Windows only |
| Fiddler Everywhere | GUI Proxy | Full | Yes | No (trial available) | Windows, macOS, Linux |
| Proxyman | GUI Proxy | Full | Yes | Limited free tier | macOS, iOS |
| Wireshark | Packet Analyzer | View only (packet level) | No | Yes | Windows, macOS, Linux |
| Browser DevTools | Browser Built-in | View only | No | Yes | All (browser-based) |
| Browser Extensions | Browser Extension | Varies | Yes (tests.ws extension) | Varies | Chrome, Firefox |
Burp Suite
Burp Suite is the industry standard tool for web application security testing, and burp suite websocket support makes it equally powerful for WebSocket security assessments. Burp Suite Pro includes full WebSocket interception capabilities built directly into the Proxy and Repeater tabs, making it the go-to choice for websocket pentesting during professional security engagements.
To intercept WebSocket traffic in Burp Suite, configure your browser to use Burp as its proxy (typically localhost:8080), ensure you have installed the Burp CA certificate for intercepting encrypted WSS traffic, and navigate to a page that uses WebSocket. In the Proxy > WebSockets history tab, you will see all WebSocket connections established through the proxy, including the initial handshake and all subsequent messages.
The burp websocket implementation lets you view messages in real time, filter by connection, and search message content. More importantly, you can use the Repeater tab to replay and modify individual WebSocket messages. Right-click any message in the WebSocket history and send it to Repeater, where you can edit the message payload and resend it to test how the application handles malicious or malformed input.
For advanced websocket pentesting, Burp Suite supports extensions written in Java, Python, or Ruby. You can write custom extensions to automate WebSocket testing, implement custom fuzzing logic, or integrate WebSocket testing into your security scanning workflow. The Extender API provides hooks for intercepting and modifying WebSocket messages programmatically.
The main limitation is that Burp Suite Community Edition has restricted WebSocket features. You can view WebSocket traffic, but you cannot intercept, modify, or replay messages. Full burp websocket capabilities require Burp Suite Pro, which is a paid professional tool. However, for organizations conducting security testing, the investment is typically justified by the comprehensive feature set.
OWASP ZAP
OWASP ZAP (Zed Attack Proxy) is a free and open source alternative to Burp Suite, making it an excellent choice for teams that need websocket pentesting capabilities without a commercial license. While ZAP historically lagged behind Burp in WebSocket support, modern versions include strong zap websocket functionality through both core features and optional add-ons.
To enable full WebSocket support in ZAP, install the WebSocket add-on from the ZAP Marketplace (Tools > Manage Add-ons > Marketplace). This add-on enhances the built-in WebSocket capabilities with additional features for fuzzing, breakpoints, and message modification.
The zap websocket implementation displays all WebSocket connections in a dedicated tab, showing both the initial handshake and all subsequent frames. You can set breakpoints to intercept messages in both directions, modify message content before forwarding, and use the fuzzer to send multiple variations of a message to test application behavior.
ZAP also includes WebSocket testing in its Active Scan rules. When you run an active scan against a site that uses WebSocket, ZAP will attempt to inject common attack payloads into WebSocket messages, following owasp websocket testing methodologies. This automated approach can quickly identify common vulnerabilities like SQL injection, XSS, or command injection in WebSocket message handlers.
The OWASP WebSocket Security Testing cheat sheet provides additional guidance on manual testing techniques that complement ZAP’s automated features. ZAP is particularly good for teams that need a free pentesting tool with active community support and regular updates. While the interface is less polished than Burp Suite Pro, the functionality is comparable for most WebSocket testing scenarios.
mitmproxy
mitmproxy is an open source, Python-based proxy that excels at automated and scriptable interception. If you need to intercept, modify, or analyze WebSocket traffic programmatically, mitmproxy websocket support is the most flexible option available.
mitmproxy offers three interfaces: mitmproxy (interactive console), mitmdump (command-line with no UI), and mitmweb (web-based UI). All three support WebSocket interception. To capture WebSocket traffic, run mitmproxy and configure your client to use it as a proxy (default is localhost:8080). For encrypted WSS connections, install the mitmproxy certificate authority on your client system.
The real power of mitmproxy websocket interception is the Python scripting API. You can write scripts that hook into WebSocket events (connection opened, message received, connection closed) and modify traffic on the fly. This is perfect for automated testing, security research, or building custom debugging tools.
Here is a simple example of a mitmproxy script that logs and modifies WebSocket messages:
from mitmproxy import http, websocket
class WebSocketModifier:
def websocket_message(self, flow):
# Get the most recent message
message = flow.messages[-1]
# Log the message
print(f"[{message.type}] {message.content}")
# Modify messages from client to server
if message.from_client:
if b"attack" in message.content:
# Replace attack payload with benign content
message.content = message.content.replace(b"attack", b"benign")
print(f"Modified message: {message.content}")
# Modify messages from server to client
else:
# Add a marker to all server messages
if message.type == websocket.OPCODE.TEXT:
message.content = b"[PROXIED] " + message.content
addons = [WebSocketModifier()]Run this script with mitmproxy -s websocket_modifier.py and it will automatically log and modify WebSocket messages according to your logic. This makes mitmproxy the best option for automated WebSocket interception in CI/CD pipelines, research projects, or custom security testing frameworks.
mitmproxy is completely free and works on all major platforms. The learning curve is steeper than GUI tools, but the scripting capabilities are unmatched for programmatic WebSocket analysis.
Charles Proxy
Charles Proxy is a GUI-based HTTP proxy that is particularly popular among macOS developers. charles websocket support has evolved over time, with modern versions (4.6+) providing read-only viewing of WebSocket frames.
To view WebSocket connections in Charles, enable SSL proxying for the target host (Proxy > SSL Proxying Settings), configure your browser or application to use Charles as its proxy, and establish a WebSocket connection. Charles will display the WebSocket connection in the Structure view, and you can select it to see all frames in the Contents panel.
Charles shows both the initial HTTP handshake (including headers and the Upgrade request) and all subsequent WebSocket frames. You can see frame type (text, binary, ping, pong, close), direction (client to server or server to client), and payload content. For text frames, Charles displays the content as readable text. For binary frames, you see a hexadecimal representation.
The main limitation is that charles websocket support is primarily read-only. While you can view all messages, you cannot easily intercept and modify individual frames like you can in Burp Suite or OWASP ZAP. Some versions of Charles offer limited editing capabilities through breakpoints, but this is not as mature as dedicated security testing tools.
Charles is good for developers debugging their own applications, particularly on macOS where it integrates well with the system proxy settings. It provides a clean, intuitive interface for understanding what messages are being exchanged, which is often sufficient for development and debugging scenarios where you control both client and server.
Fiddler
Fiddler is a web debugging proxy that originated on Windows and has been a favorite among Windows developers for years. fiddler websocket support is available in both Fiddler Classic (Windows-only, free) and Fiddler Everywhere (cross-platform, paid).
In Fiddler Classic, enable HTTPS decryption (Tools > Options > HTTPS > Decrypt HTTPS traffic), configure your browser to use Fiddler as its proxy, and connect to a WebSocket endpoint. The WebSocket connection appears in the session list, and you can select it to view frames in the WebSocket tab on the right side.
Fiddler Classic shows WebSocket frames with their type, length, and content. You can view text messages as readable strings and binary messages in hexadecimal. However, like Charles, fiddler websocket capabilities in the classic version are mostly read-only. You can view messages but have limited ability to modify or replay them.
Fiddler Everywhere is the modern, cross-platform version built on .NET Core. It offers improved WebSocket support including the ability to compose and send custom WebSocket messages. This brings it closer to the functionality of Burp Suite, though still focused more on development and debugging than security testing.
Fiddler is good for Windows developers who want a free (Classic) or affordable (Everywhere) tool for debugging WebSocket connections. The interface is familiar to anyone who has done web development on Windows, and it integrates smoothly with Windows proxy settings and certificate stores.
Proxyman
Proxyman is a modern proxy tool built specifically for macOS and iOS, with a focus on a clean, native user interface. proxyman websocket support is comprehensive, allowing you to view, filter, and analyze WebSocket frames alongside standard HTTP traffic.
To intercept WebSocket traffic in Proxyman, install the Proxyman certificate (Certificate menu), enable macOS proxy (Proxyman automatically configures system settings), and access a WebSocket endpoint. Proxyman displays WebSocket connections in the session list with a distinctive icon, and selecting a connection shows all frames in the detail panel.
Proxyman excels at filtering and searching WebSocket messages. You can filter by connection, search message content, and use the timeline view to see messages in chronological context with other network activity. The interface is polished and intuitive, making it easy to understand message flow even in complex applications.
The proxyman websocket implementation is particularly strong for iOS development. Proxyman can intercept traffic from iOS devices and simulators without complex setup, making it the go-to tool for debugging WebSocket connections in iOS apps. You can also use Proxyman’s scripting feature to automatically modify WebSocket messages based on rules you define.
Proxyman offers a free tier with basic features and a paid Pro version that unlocks advanced capabilities like scripting, custom breakpoints, and map remote. For macOS and iOS developers working with WebSocket, Proxyman provides the best balance of power and usability.
Wireshark
Wireshark is a network protocol analyzer that operates at the packet level, giving you the deepest possible view into WebSocket communications. wireshark websocket capabilities are focused on protocol analysis rather than interception and modification.
Wireshark captures all network traffic on a selected interface and dissects it according to protocol specifications. To view WebSocket traffic, start a capture, generate WebSocket traffic, and then apply the filter websocket to show only WebSocket frames. Wireshark will automatically identify WebSocket traffic by recognizing the HTTP Upgrade handshake and then parsing subsequent frames according to the WebSocket protocol specification (RFC 6455).
The wireshark websocket dissector shows detailed information about each frame: opcode (text, binary, ping, pong, close), masking status, payload length, masking key (for client-to-server frames), and the actual payload data. You can see frame fragmentation, identify protocol violations, and analyze low-level details like TCP retransmissions or timing issues.
Useful Wireshark filters for WebSocket analysis include:
websocket- Show all WebSocket frameswebsocket.opcode == 1- Show only text frameswebsocket.opcode == 2- Show only binary frameswebsocket.opcode == 8- Show only close frameswebsocket.payload- Filter by payload contentwebsocket contains "search term"- Search message content
You can also use the “Follow WebSocket Stream” feature to see all frames in a single connection as a continuous conversation, similar to following a TCP stream.
The critical limitation is that Wireshark is read-only. You cannot modify traffic or inject custom messages. Wireshark is for analysis, not active testing. It is most useful for debugging protocol-level issues like frame fragmentation, masking errors, close handshake problems, or understanding timing relationships between WebSocket messages and other network activity.
For security testing, Wireshark complements tools like Burp Suite. Use Burp to modify and replay messages, then use Wireshark to verify exactly what was sent on the wire and how the protocol behaved.
Browser Extensions
Browser extensions provide an alternative approach to WebSocket interception that works directly in the browser without requiring proxy configuration. The tests.ws WebSocket Proxy Testing Tool Chrome extension (available here) is specifically designed for WebSocket testing and modification.
Unlike traditional proxies that sit between your browser and the internet, a browser extension runs inside the browser and can intercept WebSocket connections at the JavaScript API level. When a page creates a new WebSocket connection, the extension can intercept the constructor call, wrap the WebSocket object, and observe or modify all messages flowing through it.
The advantage of this approach is simplicity and precision. You do not need to configure system proxy settings, install certificates, or worry about SSL/TLS interception. The extension sees exactly what the web page sees, including WebSocket connections that might bypass system proxy settings. The websocket proxy extension approach works per-tab, giving you fine-grained control over which connections to intercept.
The tests.ws extension lets you view all WebSocket connections on a page, inspect messages in real time, compose and send custom messages, and modify messages before they reach the application. This is particularly useful for testing how a web application handles unexpected or malicious WebSocket messages without needing to set up a full proxy infrastructure.
The tradeoff is that browser extensions only work for connections made by web pages in that browser. They cannot intercept WebSocket connections from native applications, mobile apps, or other browsers. For comprehensive testing across all applications on a system, you still need a traditional proxy. But for web-based WebSocket testing, browser extensions offer the fastest path from zero to intercepting messages.
Browser DevTools
Modern browsers include built-in WebSocket inspection in their developer tools. Chrome, Firefox, Edge, and Safari all have a WebSocket or WS tab in the Network panel that shows WebSocket connections and messages.
To use DevTools for WebSocket inspection, open Developer Tools (F12 or Cmd+Option+I), go to the Network tab, and establish a WebSocket connection. Click on the WebSocket connection in the network log to see all frames. The Messages panel shows the content and direction of each message, with timestamps and frame sizes.
Browser DevTools are good for quick inspection during development. They are free, built-in, and require no setup. However, they are read-only. You can view messages but cannot modify them, replay them, or intercept them for security testing. For basic debugging, DevTools are often sufficient. For testing or security work, you need one of the more powerful tools described above.
Which Tool to Choose
Your choice of WebSocket proxy tool depends on your use case:
For security testing and pentesting: Use Burp Suite Pro if you have budget for a commercial tool. It is the industry standard for websocket pentesting and offers the most complete feature set for security testing. If you need a free alternative, OWASP ZAP provides comparable functionality with an open source license.
For automated and scripted interception: Use mitmproxy. The Python scripting API gives you complete control over WebSocket traffic, making it perfect for automated testing, security research, or building custom tools. If you need to integrate WebSocket testing into CI/CD pipelines or run automated modification logic, mitmproxy is the best choice.
For quick debugging on macOS: Use Charles Proxy or Proxyman. Both offer clean, native macOS interfaces that make it easy to see what is happening with WebSocket connections. Proxyman has better WebSocket support and a more modern interface, while Charles is more established and familiar to many developers.
For quick debugging on Windows: Use Fiddler. Fiddler Classic is free and has been the standard Windows debugging proxy for years. If you need more advanced features and cross-platform support, consider Fiddler Everywhere.
For protocol-level analysis: Use Wireshark. When you need to debug low-level protocol issues, see exactly what bytes are on the wire, or analyze timing and performance, Wireshark gives you packet-level visibility that application-layer proxies cannot match.
For in-browser testing: Use Browser DevTools for quick read-only inspection, or the tests.ws extension if you need to modify messages. Browser-based tools avoid proxy configuration complexity and work well for testing web applications during development.
For modifying messages in the browser: Use the tests.ws WebSocket Proxy Testing Tool extension. It provides active interception and modification capabilities without requiring a proxy, making it the fastest way to test how a web application handles modified WebSocket messages.
FAQ
Can Burp Suite intercept WSS (encrypted) WebSocket traffic?
Yes, Burp Suite can intercept WSS traffic (WebSocket over TLS/SSL). You need to configure your browser to trust the Burp CA certificate, which allows Burp to perform a man-in-the-middle interception of encrypted connections. Once the certificate is installed, Burp can decrypt WSS traffic, display the messages, and allow you to modify them just like unencrypted WS connections. This is a standard feature in both Burp Suite Pro and Community Edition, though only Pro allows message modification.
How do I proxy WebSocket through mitmproxy?
To proxy WebSocket through mitmproxy, run mitmproxy or mitmweb from the command line (it listens on port 8080 by default), configure your client application to use localhost:8080 as its HTTP/HTTPS proxy, and for encrypted WSS connections, install the mitmproxy CA certificate on your client system (mitmproxy generates this certificate automatically the first time you run it, and provides instructions for installation). Once configured, all WebSocket traffic will flow through mitmproxy where you can view it in the interface or process it with Python scripts.
What is the best free tool for WebSocket security testing?
OWASP ZAP is the best free tool for websocket pentesting and security testing. It provides full WebSocket interception, modification, fuzzing, and automated scanning capabilities at no cost. While Burp Suite Pro is more polished and widely used in professional security testing, ZAP offers comparable WebSocket functionality for teams that cannot justify the cost of a commercial license. For scripted or automated security testing, mitmproxy is also excellent and free, though it requires more technical expertise to use effectively.
Can I modify WebSocket messages with Wireshark?
No, Wireshark is a passive packet analyzer and cannot modify traffic. It captures and displays packets as they appear on the network, but it does not intercept or alter them. If you need to modify WebSocket messages, use an active proxy like Burp Suite, OWASP ZAP, or mitmproxy. Wireshark is best used alongside these tools for protocol-level analysis and verification. You can use Burp to send modified messages and then use Wireshark to confirm exactly what was sent on the wire and how the server responded at the packet level.