💬 Day 4: Adding Real-Time Chat & Testing WebSocket Security (Django + AppSec Journey)

Welcome to Day 4 of my Django + AppSec journey!
Today was all about making my chat app real-time using WebSockets and then trying to hack it with XSS and IDOR attacks — and fixing them 💥

🛠️ 1. Building Real-Time Messaging with Django Channels

• Installed channels and channels-redis

• Configured Redis as the channel layer

• Created a custom ChatConsumer to handle WebSocket connections

⚙️ 2. Installed Burp Suite + Setup Proxy

I downloaded and installed the Community Edition of Burp Suite, then set up Firefox to route traffic through Burp:

🔌 Firefox Proxy Config:

• HTTP Proxy: 127.0.0.1

• Port: 8080

• Checked ✅ “Use this proxy for all protocols”

🔐 3. Imported Burp’s SSL Certificate

Since I wanted to intercept HTTPS/WebSocket traffic, I had to trust Burp’s certificate:

1. Visited http://burp in Firefox (with Burp running)

2. Downloaded the CA Certificate

3. Renamed it to .crt and imported it into Firefox:

   • Settings → Privacy & Security → Certificates → View Certificates

   • Imported under Authorities

   • ✔️ Checked “Trust this CA to identify websites”

🔒 Now Burp can see encrypted HTTPS and WebSocket data 🔥

🧠 4. Intercepting WebSocket Requests via Burp

With proxy + certificate in place, I:

• Opened the chat page in Firefox

• Saw 101 Switching Protocols in Burp (✅ WebSocket handshake success!)

• Captured live messages via:
  Burp → Proxy → WebSockets tab

Next up will use XSS attack and IDOR attack