PortSwigger Releases WebSocket Turbo Intruder for Deep Fuzzing of WebSocket Endpoints
PortSwigger Research has released WebSocket Turbo Intruder, a Burp Suite extension that enables high-speed fuzzing and automated testing of WebSocket connections, targeting a common blind spot in security testing.
PortSwigger Research has released a new Burp Suite extension called WebSocket Turbo Intruder, designed to address a significant blind spot in security testing: the shallow analysis of WebSocket connections. Many testers and automated tools abandon analysis once a protocol upgrade to WebSocket occurs, leaving vulnerabilities such as broken access controls, race conditions, and SQL injection undetected. The new tool brings Turbo Intruder's fast attack engine to WebSocket testing, enabling security researchers to fuzz WebSocket messages with custom Python code at high speed.
The extension supports thousands of messages per second and includes an HTTP adapter that allows integration with existing HTTP scanners for automated testing. It also features smart filtering to hide boring responses, helping testers focus on interesting results. WebSocket Turbo Intruder can be installed directly from the BApp Store or built from source on GitHub. Once installed, it appears as a new menu item when right-clicking on any message in Burp Suite.
WebSocket Turbo Intruder comes with two built-in tools: Turbo Intruder and HTTP Middleware. Turbo Intruder is best for sending thousands of WebSocket messages to a single target to look for interesting behavior, while HTTP Middleware is designed for automating scanning. The HTTP Middleware wraps a WebSocket connection inside an HTTP request, allowing testers to use filters to capture only relevant traffic while interacting with the server through a local HTTP endpoint. This setup is ideal for finding server-side vulnerabilities like SQL injection, authentication bypass, or command injection.
The tool also addresses unique WebSocket attack surfaces, such as server-side prototype pollution in Socket.IO implementations. Socket.IO is a popular JavaScript framework that comes with its own WebSocket implementation, making testing more complicated. WebSocket Turbo Intruder can work around these limitations, allowing testers to confirm server usage by checking the mandatory query parameter EIO, which specifies the protocol version. If it equals 4, the server sends ping packets, and the tool can handle them accordingly.
Other vulnerabilities that WebSocket Turbo Intruder can help exploit include race conditions and ping-of-death attacks. The extension's high-speed engine allows testers to send thousands of messages per second, making it easier to identify race conditions that might be missed with slower tools. The ping-of-death attack involves sending malformed ping frames to crash or disrupt WebSocket connections, and the tool can automate the generation and sending of such payloads.
While WebSocket Turbo Intruder includes a custom engine for speed, PortSwigger notes that it is not as battle-tested as Burp's built-in engine. If users encounter errors or connection issues, they are advised to switch back to the default engine. Additionally, the tool is designed for high-volume testing against a single target, as WebSocket connections must stay open, making testing large scopes tricky and not well supported.
The release of WebSocket Turbo Intruder fills a critical gap in the security testing landscape. As WebSocket usage continues to grow in modern web applications, the attack surface expands, and tools like this are essential for uncovering vulnerabilities that traditional HTTP-based scanners overlook. By enabling deep fuzzing and automated testing of WebSocket endpoints, PortSwigger Research is helping security professionals stay ahead of attackers who may exploit these blind spots.