As HTTP is a stateless protocol, it treats every request as unique and unrelated to the previous and next ones, which is why applications need to implement mechanisms such as session cookies to manage the operations performed by a single user in a session. As an alternative to overcome this limitation, HTML5 incorporates WebSockets. WebSockets provide a persistent, bidirectional communication channel between client and server over the HTTP protocol.

In this recipe, we will show how to use OWASP ZAP to monitor, intercept, and modify WebSockets communication as we do with normal requests during penetration testing.