WebSockets are HTML5s solution for low latency communications. Support is now stable in major browsers, and developers are starting to use them for chat, games, videoconferencing, and other applications. Despite its growing adoption, WebSockets are difficult for pen testers to mess with. Tools are starting to catch up – wireshark, fiddler & chrome will let you view WebSocket traffic, but there is no simple system currently available to tamper with these messages. This summer I plan to release Socket Puppet, a chrome extension designed to fill this need, and I want to release it at BSides.