starred/Proxyman

Fork 0

mirror of https://github.com/ProxymanApp/Proxyman.git synced 2026-04-27 00:55:57 +03:00

[GH-ISSUE #1635] WebSocket error during handshake when using Proxyman #1629

New issue

Open

opened 2026-03-03 19:53:01 +03:00 by kerem · 7 comments

kerem commented

2026-03-03 19:53:01 +03:00

Owner

Originally created by @kartikarora on GitHub (May 12, 2023).
Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1635

Description

I am debugging an Android app which opens a webview, and the webview initiates a websocket connection. I have no control over the webview or the websocket connection code.

The webview is able to send parsed messages from websocket to native android code. I'd like to be able to modify this response using map remote to a locally hosted websocket server.

When I open the webview in chrome's inspector, the following happens

If Proxy is enabled and SSL Proxy for the domain is enabled, Chrome report an error Error during WebSocket handshake: 'Sec-WebSocket-Protocol' header must not appear more than once in a response but the headers in Proxyman seem to be fine.
If Proxy is disabled and SSL Proxy for the domain is disabled, chrome reports a successful connection and starts receiving messages in the websocket connection.

Environment

Websocket uses STOMP protocol for message exchange.
App version: Proxyman 4.7.1
macOS version: macOS Ventura 13.3.1

Originally created by @kartikarora on GitHub (May 12, 2023). Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1635 ## Description I am debugging an Android app which opens a webview, and the webview initiates a websocket connection. I have no control over the webview or the websocket connection code. The webview is able to send parsed messages from websocket to native android code. I'd like to be able to modify this response using map remote to a locally hosted websocket server. When I open the webview in chrome's inspector, the following happens - If Proxy is enabled and SSL Proxy for the domain is enabled, Chrome report an error `Error during WebSocket handshake: 'Sec-WebSocket-Protocol' header must not appear more than once in a response` but the headers in Proxyman seem to be fine. - If Proxy is disabled and SSL Proxy for the domain is disabled, chrome reports a successful connection and starts receiving messages in the websocket connection. ## Environment - Websocket uses STOMP protocol for message exchange. - App version: Proxyman 4.7.1 - macOS version: macOS Ventura 13.3.1

kerem added the

bug

label

2026-03-03 19:53:01 +03:00

kerem commented

2026-03-03 19:53:02 +03:00

Author

Owner

@kartikarora commented on GitHub (May 12, 2023):

I can confirm that a similar setup on Charles Proxy just works.

@kartikarora commented on GitHub (May 12, 2023): I can confirm that a similar setup on Charles Proxy just works.

kerem commented

2026-03-03 19:53:02 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (May 12, 2023):

Thanks. I'm investigating your issue and send you a Beta build to test it out 👍

@NghiaTranUIT commented on GitHub (May 12, 2023): Thanks. I'm investigating your issue and send you a Beta build to test it out 👍

kerem commented

2026-03-03 19:53:02 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (May 12, 2023):

@kartikarora can you share with me the website that uses WSS that I can test 🤔

My investigation

Start a Android with Webview
Try to capture WSS from WebView: https://www.piesocket.com/websocket-tester
Able to capture without error ✅

Note that I have to add the WSS domain (demo.piesocket.com) into the network_security_config.xml file.

<network-security-config>
    <domain-config>
        <!-- Make sure your URL Server here -->
        <domain includeSubdomains="true">www.piesocket.com</domain>
        <domain includeSubdomains="true">demo.piesocket.com</domain>
        <trust-anchors>
            <certificates src="user"/>
            <certificates src="system"/>
        </trust-anchors>
    </domain-config>

    <debug-overrides>
        <trust-anchors>
            <certificates src="user" />
            <certificates src="system" />
        </trust-anchors>
    </debug-overrides>

    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
</network-security-config>

@NghiaTranUIT commented on GitHub (May 12, 2023): @kartikarora can you share with me the website that uses WSS that I can test 🤔 ### My investigation 1. Start a Android with Webview 2. Try to capture WSS from WebView: https://www.piesocket.com/websocket-tester 3. Able to capture without error ✅ ![CleanShot 2023-05-12 at 14 41 50@2x](https://github.com/ProxymanApp/Proxyman/assets/5878421/072b5bd4-dae5-4b30-b65a-da5c88f73918) Note that I have to add the WSS domain (demo.piesocket.com) into the `network_security_config.xml` file. ``` <network-security-config> <domain-config>  <domain includeSubdomains="true">www.piesocket.com</domain> <domain includeSubdomains="true">demo.piesocket.com</domain> <trust-anchors> <certificates src="user"/> <certificates src="system"/> </trust-anchors> </domain-config> <debug-overrides> <trust-anchors> <certificates src="user" /> <certificates src="system" /> </trust-anchors> </debug-overrides> <base-config cleartextTrafficPermitted="true"> <trust-anchors> <certificates src="system" /> </trust-anchors> </base-config> </network-security-config> ```

kerem commented

2026-03-03 19:53:02 +03:00

Author

Owner

@kartikarora commented on GitHub (May 12, 2023):

Hey @NghiaTranUIT

Thanks for the quick response. Unfortunately, the domains are not internet-facing and won't work until you are physically here in the office in Sydney :/

I can however confirm that I have set up my network_security_config in a similar manner and I am able to proxy the other end points over https easily.

I'll try overriding the webview url with piesocket's demo url and see if that works.

@kartikarora commented on GitHub (May 12, 2023): Hey @NghiaTranUIT Thanks for the quick response. Unfortunately, the domains are not internet-facing and won't work until you are physically here in the office in Sydney :/ I can however confirm that I have set up my network_security_config in a similar manner and I am able to proxy the other end points over https easily. I'll try overriding the webview url with piesocket's demo url and see if that works.

kerem commented

2026-03-03 19:53:02 +03:00

Author

Owner

@kartikarora commented on GitHub (May 12, 2023):

Interesting to find that https://www.piesocket.com/websocket-tester in the webview works and I am able to see the messages in Proxyman

@kartikarora commented on GitHub (May 12, 2023): Interesting to find that https://www.piesocket.com/websocket-tester in the webview works and I am able to see the messages in Proxyman

kerem commented

2026-03-03 19:53:02 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (May 12, 2023):

Maybe the bug is from WSS with STOMP protocol. I'm trying to find any STOMP WS online, so I can test it 👍

@NghiaTranUIT commented on GitHub (May 12, 2023): Maybe the bug is from WSS with STOMP protocol. I'm trying to find any STOMP WS online, so I can test it 👍

kerem commented

2026-03-03 19:53:02 +03:00

Author

Owner

@kartikarora commented on GitHub (May 12, 2023):

@NghiaTranUIT The same server is interceptible on Charles though. I'd rather use Proxyman, to be honest.
I can't find any stomp servers online, I'll try and make one over the weekend.

@kartikarora commented on GitHub (May 12, 2023): @NghiaTranUIT The same server is interceptible on Charles though. I'd rather use Proxyman, to be honest. I can't find any stomp servers online, I'll try and make one over the weekend.