thc202 edited this page Feb 21, 2018 · 2 revisions


WebSockets can be used by web applications or web sites to setup a bi-directional (two-way), full duplex communication channel over a single TCP connection. It features a lightweight protocol, allowing developers to realize realtime use cases. WebSockets do also provide an alternative to heavy use of Ajax, HTTP Long Polling or Comet.

After an initial HTTP based handshake, the TCP connection is kept open, allowing applications to send & receive arbitrary data. Often port 80 or 443 for encrypted WebSocket channels are used.

The WebSocket standard is defined in

The WebSocket API (

specifies the interface in browsers

The WebSocket Protocol (RFC6455) (

describes the structure of WebSocket frames upon TCP

ZAP is able to:

  • intercept and show WebSocket messages
  • set breakpoints on specific types of WebSocket messages
  • fuzz WebSocket messages (send lots of invalid or unexpected data to a browser or server)

WebSocket messages are displayed within the WebSockets tab.

The WebSocket add-on adds new scripts and additional endpoints to the ZAP API

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.