Web proxies such as Burp Suite and OWASP ZAP can record WebSockets communication. They are also able to intercept and allow the addition of incoming and outgoing messages. OWASP ZAP also allows resending messages and use of the Fuzzer tool to identify vulnerabilities.

In Burp Suite's proxy, there is a tab that shows the history of WebSockets communication. The regular Intercept option in the proxy can be used to intercept and modify incoming and outgoing messages. It doesn't include the capability of using Repeater to resend a message. The following screenshot shows a message being intercepted in Burp Suite:

OWASP ZAP also has a special history tab for WebSockets. In that tab, one can set up breakpoints (like Burp Suite's Intercept) by right-clicking on any of the messages and selecting Break... . A new dialog will pop up where the break parameters and conditions can be set, as shown in the following screenshot:

When right-clicking on messages, there is also a Resend option, which opens the selected message for modification and resending. This works for both incoming and outgoing traffic. Thus, when resending an outgoing message, OWASP ZAP will deliver the message to the browser. The next screenshot shows the Resend dialog:

If you right-click the text in Resend, one of the options that appears is to fuzz that message.

The next screenshot shows how to add fuzzing strings to the default location. Here we are adding only a small set of XSS tests:

When we run the Fuzzer, the corresponding tab opens and shows the successful results (that is, the results that got a response resembling a vulnerable application):