sleeyax / burp-awesome-tls Goto Github PK

View Code? Open in Web Editor NEW

959.0 14.0 63.0 1.71 MB

Burp extension to evade TLS fingerprinting. Bypass WAF, spoof any browser.

License: GNU General Public License v3.0

Go 42.14% Java 53.88% Shell 3.98%

burpsuite burp-extensions tls tls-fingerprint java golang go utls burp-suite burp-cloudflare-bypass

burp-awesome-tls's Introduction

Note

Don't fall victim to impersonation attempts. Verify my identity here.

❓ About Me

I'm a Full Stack Software Engineer who loves to both break and build the web. Ever since I started programming I've had a particular interest in web scraping, automation, bots and security for which I've grown an expertise. Some may recognize me from my contributions in a time where sneaker bots were still cool (see projects below). The other side of me loves to develop web applications from scratch with whatever tech stack suits a project best.

Besides my main occupation, I also have an interest in other fields such as but not limited to cross-platform mobile app development, reverse engineering, GNU/Linux, Containers, DevOps and cloud.

If you'd like to hire me or if you're looking for a partner for your next project, check out my socials and shoot me a DM.

I'm also active on gitlab.

💻 Projects and Companies

Present

2024 -> ... : Open source development. See my latest projects below. Stay tuned and consider becoming a sponsor! 👀
July 2023 -> ... : All in one dating app automation suite for OF marketing (by snkr friends and me). 😏

Past

2023: Stremio media player & content aggregator
- Bootstrapped a fresh mobile app for Android and iOS using Kotlin & Compose
2022: Pixl NFT marketplace (formerly known as flow.so and infinity.xyz) to trade digital assets on the ETH blockchain
2019 -> 2021: Cybersole AIO (All In One) web automation software to automatically purchase online items (shoes, clothing, collectibles)
- Wrote and maintained site modules
- Reverse engineered all kinds of antibot and WAFs - including mobile versions
2019: Ignite another AIO bot company
- Rewrote most of the codebase from JavaScript spaghetti code to a modular TypeScript codebase and migrated from plain CSS to SCSS modules
2018 -> ... : Stremio Community media player & content aggregator
- Built plenty of addons for the platform and moderated the r/StremioAddons community
- Built an unofficial SDK in Rust
2017-2018: Fiverr where it all began...

👋 Socials

You can reach out to me via one of the following channels:

Twitter
Telegram
Reddit
Discord: sleeyax

Please email me if your inquiry is urgent.

Do NOT contact me for personal support, feature requests, issues, suggestions etc. regarding any of my public GitHub repositories. Create an issue or start a discussion on the relevant repository instead.

📈 Stats

Overview

Trophies

burp-awesome-tls's People

Contributors

Stargazers

Watchers

Forkers

crackercat evi1hack secjia atlassion un2b0 jtwmyd root0xa3 zanachka alecharing xjohjrdy ikpehlivan noscripter sneak71 0xsojalsec betillogalvanfbc bbhunter akbarxcode prynix some-say 0xy4q isgasho sesyi zzhsec xzone911 log4she11 sec-fork wangdadaya vovkoo benedridge cyker nishatn9807 rattlecattle newcodor p1v07 gprime31 slooppe 5l1v3r1 djerryz agelovito grow520 killman122 bowman03 ckevens superoldman96 1c3z vincelz w4n95 ozgurctk echoesofdreams brucetyler0 egida leeasina uuuunotfound annalinlin wisdark srand2 ana7r upcleo nabil-ak orinocoz shuaibibobo gaozzr y0un9ermm

burp-awesome-tls's Issues

Migrate to new Montoya API

Portswigger has released a newer API a few months ago and has deprecated the extender API. This extension should be ported over to ensure it keeps working in the future.

Working through an external proxy

There is a need to set up an external proxy server (for ip spoofing). If you do it in Burp with the extension disabled and SOCKS5 proxy defined, everything works as it should.

If you enable the extension, the following error appears:

I take it the extension won't work through an external proxy?

[Backend] Read TLS fingerprint from raw bytes

[Frontend] Setup GUI

Possible fields:

Remote server connection URL
TLS fingerprint
- Chrome
- Firefox
- iOS Safari
- Android Chrome
- Android okhttp
- Charles
Custom fingerprint from wireshark capture
Other customizable UTLS settings

What is the purpose of the listener address?

[Backend] Create UTLS roundtripper

Not working on Windows x64

Downloaded the extension and added it. After that everything I changed in the screenshot, when I try to open any site it errors.

err

Requests not working

I added the extension and I configured it but requests are not going through. The requests just get stuck on loading.

Here's my config:

burp proxy config:

output:

[Frontend] Settings management

We should consider how to pass settings from UI to the backend server. Perhaps we could keep it simple and just pass in a header with JSON serialized settings and then remove that header at the backend so it doesn't get sent to the destination host.

Setup cross-platform builds

We must be able to distribute cross-platform jar files targetting win, mac, linux. Each jar file should include one server library built for the target platform.

Alternatively we could distribute backend and frontend separately. Thus we end up having cross platform jar files for the frontend and cross platform binaries for the backend. This method is less portable but results in smaller jar files. Plus the server can update independently this way.

Add response header order

If you compare the response header order of a request with and without the extension enabled, you'll notice it's different.

GET http://httpbin.org/get with extension:

GET http://httpbin.org/get without extension:

Failed to connect to 127.0.0.1:8887

Bring back custom client hello (hex string field)

This feature was removed in https://github.com/sleeyax/burp-awesome-tls/releases/tag/v1.2.0 in favor of the more advanced intercept proxy. A handful of people have suggested adding it back because it's more lightweight, sharable and enables easier access to applying custom fingerprints.

Crashing Burp on Ubuntu 22.04

After loading the module and sending an HTTP request to the listener it crashes the whole BURP.
Burp version: 2022.9.1(Professional)
Java 17
os: Ubuntu 22.04

[Backend] HTTP header order

We could apply this patch file instead of adding support from scratch again: https://go-review.googlesource.com/c/go/+/105755

Add "InsecureSkipVerify: true" to tls config (RoundTrip: x509: certificate name does not match input)

Hi, I have problems with tls on some sites: RoundTrip: x509: certificate name does not match input.
Can we add "InsecureSkipVerify: true" to tls config here?
https://github.com/sleeyax/burp-awesome-tls/blob/main/src-go/server/roundtripper.go#L84

Error after adding extension

When I added the extension I get this error.

java.lang.NumberFormatException: Cannot parse null string
at java.base/java.lang.Integer.parseInt(Integer.java:630)
at java.base/java.lang.Integer.parseInt(Integer.java:786)
at burp.Settings.getHttpTimeout(Settings.java:68)
at burp.SettingsTab.(SettingsTab.java:44)
at burp.BurpExtender.registerExtenderCallbacks(BurpExtender.java:33)
at burp.Zcuc.Zw(Unknown Source)
at burp.Zsmc.ZS(Unknown Source)
at burp.Zsmz.lambda$initialiseOnNewThread$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:842)
java.lang.NumberFormatException: Cannot parse null string
at java.base/java.lang.Integer.parseInt(Integer.java:630)
at java.base/java.lang.Integer.parseInt(Integer.java:786)
at burp.Settings.getHttpTimeout(Settings.java:68)
at burp.BurpExtender.processHttpMessage(BurpExtender.java:58)
at burp.Znx2.handleHttpRequestToBeSent(Unknown Source)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at burp.Zcnb.invoke(Unknown Source)
at jdk.proxy2/jdk.proxy2.$Proxy64.handleHttpRequestToBeSent(Unknown Source)
at burp.Ziby.ZG(Unknown Source)
at burp.Zsmr.ZG(Unknown Source)
at burp.Zfft.ZG(Unknown Source)
at burp.Zik3.Zv(Unknown Source)
at burp.Zink.ZD(Unknown Source)
at burp.Zink.ZH(Unknown Source)
at burp.Zte5.ZH(Unknown Source)
at burp.Ziot.ZH(Unknown Source)
at burp.Zkeg.ZH(Unknown Source)
at burp.Zcug.ZU(Unknown Source)
at burp.Zkkj.ZC(Unknown Source)
at burp.Zkk7.ZC(Unknown Source)
at burp.Zfmk.ZJ(Unknown Source)
at burp.Ztir.lambda$issueRequest$0(Unknown Source)
at burp.Zcq9.ZR(Unknown Source)
at burp.Zcv3.Zt(Unknown Source)
at burp.Zcv3.Zw(Unknown Source)
at burp.Zbns.Zb(Unknown Source)
at burp.Ztre.Zb(Unknown Source)
at burp.Ztir.Ze(Unknown Source)
at burp.Zi8v.Zn(Unknown Source)
at burp.Zg3y.ZG(Unknown Source)
at burp.Zce3.Zi(Unknown Source)
at burp.Zfld.Zb(Unknown Source)
at burp.Zfld.Zp(Unknown Source)
at burp.Zm7q.Zc(Unknown Source)
at burp.Zpv.Zg(Unknown Source)
at burp.Zk1b.ZZ(Unknown Source)
at burp.Ziso.run(Unknown Source)
at burp.Zcjg.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:842)
java.lang.NumberFormatException: Cannot parse null string
at java.base/java.lang.Integer.parseInt(Integer.java:630)
at java.base/java.lang.Integer.parseInt(Integer.java:786)
at burp.Settings.getHttpTimeout(Settings.java:68)
at burp.BurpExtender.processHttpMessage(BurpExtender.java:58)
at burp.Znx2.handleHttpRequestToBeSent(Unknown Source)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at burp.Zcnb.invoke(Unknown Source)
at jdk.proxy2/jdk.proxy2.$Proxy64.handleHttpRequestToBeSent(Unknown Source)
at burp.Ziby.ZG(Unknown Source)
at burp.Zsmr.ZG(Unknown Source)
at burp.Zfft.ZG(Unknown Source)
at burp.Zik3.Zv(Unknown Source)
at burp.Zink.ZD(Unknown Source)
at burp.Zink.ZH(Unknown Source)
at burp.Zte5.ZH(Unknown Source)
at burp.Ziot.ZH(Unknown Source)
at burp.Zkeg.ZH(Unknown Source)
at burp.Zcug.ZU(Unknown Source)
at burp.Zkkj.ZC(Unknown Source)
at burp.Zkk7.ZC(Unknown Source)
at burp.Zfmk.ZJ(Unknown Source)
at burp.Ztir.lambda$issueRequest$0(Unknown Source)
at burp.Zcq9.ZR(Unknown Source)
at burp.Zcv3.Zt(Unknown Source)
at burp.Zcv3.Zw(Unknown Source)
at burp.Zbns.Zb(Unknown Source)
at burp.Ztre.Zb(Unknown Source)
at burp.Ztir.Ze(Unknown Source)
at burp.Zi8v.Zn(Unknown Source)
at burp.Zg3y.ZG(Unknown Source)
at burp.Zce3.Zi(Unknown Source)
at burp.Zfld.Zb(Unknown Source)
at burp.Zfld.Zp(Unknown Source)
at burp.Zm7q.Zc(Unknown Source)
at burp.Zpv.Zg(Unknown Source)
at burp.Zk1b.ZZ(Unknown Source)
at burp.Ziso.run(Unknown Source)
at burp.Zcjg.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:842)
java.lang.NumberFormatException: Cannot parse null string
at java.base/java.lang.Integer.parseInt(Integer.java:630)
at java.base/java.lang.Integer.parseInt(Integer.java:786)
at burp.Settings.getHttpTimeout(Settings.java:68)
at burp.BurpExtender.processHttpMessage(BurpExtender.java:58)
at burp.Znx2.handleHttpRequestToBeSent(Unknown Source)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at burp.Zcnb.invoke(Unknown Source)
at jdk.proxy2/jdk.proxy2.$Proxy64.handleHttpRequestToBeSent(Unknown Source)
at burp.Ziby.ZG(Unknown Source)
at burp.Zsmr.ZG(Unknown Source)
at burp.Zfft.ZG(Unknown Source)
at burp.Zik3.Zv(Unknown Source)
at burp.Zink.ZD(Unknown Source)
at burp.Zink.ZH(Unknown Source)
at burp.Zte5.ZH(Unknown Source)
at burp.Ziot.ZH(Unknown Source)
at burp.Zkeg.ZH(Unknown Source)
at burp.Zcug.ZU(Unknown Source)
at burp.Zkkj.ZC(Unknown Source)
at burp.Zkk7.ZC(Unknown Source)
at burp.Zfmk.ZJ(Unknown Source)
at burp.Ztir.lambda$issueRequest$0(Unknown Source)
at burp.Zcq9.ZR(Unknown Source)
at burp.Zcv3.Zt(Unknown Source)
at burp.Zcv3.Zw(Unknown Source)
at burp.Zbns.Zb(Unknown Source)
at burp.Ztre.Zb(Unknown Source)
at burp.Ztir.Ze(Unknown Source)
at burp.Zi8v.Zn(Unknown Source)
at burp.Zg3y.ZG(Unknown Source)
at burp.Zce3.Zi(Unknown Source)
at burp.Zfld.Zb(Unknown Source)
at burp.Zfld.Zp(Unknown Source)
at burp.Zm7q.Zc(Unknown Source)
at burp.Zpv.Zg(Unknown Source)
at burp.Zk1b.ZZ(Unknown Source)
at burp.Ziso.run(Unknown Source)
at burp.Zcjg.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:842)

Wechat mini program can not catch the packet, Repeater can not send

There was an error when the plug-in was installed, and several attempts were inexplably successful, but the package of wechat mini programs could not be caught and the response could not be sent. It is suggested that the author try it in the new environment

Bad request when binary data in HTTP request

I got a bad request response from the go server when proxying a request that sends data in the protocol buffer wire format.

Error on first installation: java.lang.NumberFormatException: Cannot parse null string

Run java 17.0.4 2022-07-19 LTS and I have tried various versions of Java but none of them works. these are errors. Thanks for your contribution.
java.lang.NumberFormatException: Cannot parse null string
at java.base/java.lang.Integer.parseInt(Integer.java:630)
at java.base/java.lang.Integer.parseInt(Integer.java:786)
at burp.Settings.getTimeout(Settings.java:52)
at burp.SettingsTab.(SettingsTab.java:38)
at burp.BurpExtender.registerExtenderCallbacks(BurpExtender.java:33)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at burp.xu1.lambda$registerExtenderCallbacks$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)

error on burp

Add cronet

Add https://github.com/SagerNet/cronet-go for a perfect chromium fingerprint with HTTP 1, 2 and 3 (QUIC) support.

burp and browser config

Is It possible to give burp and browser config example because for some reason my burp crashes.

返回错误

wsarecv: An existing connection was forcibly closed by the remote host.

-

[Backend] Add customizable HTTP 2 SETTINGS frame

rfc7540

Not Worked

java.lang.NumberFormatException: Cannot parse null string
at java.base/java.lang.Integer.parseInt(Integer.java:627)
at java.base/java.lang.Integer.parseInt(Integer.java:781)
at burp.Settings.getTimeout(Settings.java:52)
at burp.SettingsTab.(SettingsTab.java:38)
at burp.BurpExtender.registerExtenderCallbacks(BurpExtender.java:33)
at burp.zkf.K(Unknown Source)
at burp.u2d.O(Unknown Source)
at burp.u29.lambda$initialiseOnNewThread$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1589)

Cannot have multiple response headers w/ same name

If the response contains multiple cookies w/ the same name (such as set-cookie), only one is returned.

Set overwrites the header's value, if a header with that key already exists:

burp-awesome-tls/src-go/server/server.go

Lines 52 to 55 in 08fce6f

    
           for k, _ := range res.Header { 
        
           	v := res.Header.Get(k) 
        
           	w.Header().Set(k, v) 
        
           }

Add could be used instead, but maybe instead of looping through all the headers and copying them that way, it would be better to just copy the Header instance from res to w?

Support for Linux/arm64

Could you support for Linux/arm64 ?

Java version error

ERROR:java.lang.UnsupportedClassVersionError: burp/BurpExtender has been compiled by a more recent version of the Java Runtime (class file version 61.0), this version of the Java Runtime only recognizes class file versions up to 59.0

[Backend] Import net/x/http2

See: refraction-networking/utls#16 (comment)

[Backend] Fork net/http

Log error when server binary can't be found or loaded

Currently, there is a potential issue where the extension can be installed for an incorrect target architecture, resulting in it not functioning without any clear indication of the problem. To address this, we should implement a mechanism that logs an error to Burp's extension error log when the server binary is not found. This enhancement aims to prevent confusion by providing a clear error message in such situations.

Related to: #41

Support for M1 Macs

Love this project, was wondering if you could publish builds for M1 Macs (ARM)? Appreciate the work.

[WINDOWS] Burp Suite crashes on startup with burp-awesome-tls extension enabled

Description

When I enable the burp-awesome-tls extension, Burp Suite crashes on startup.

Steps to Reproduce

Start Burp Suite.
Install and enable the burp-awesome-tls extension.
The Burp Suite crashes instantly

Expected Behavior

Burp Suite should start normally with the burp-awesome-tls extension enabled.

Actual Behavior

Burp Suite crashes immediately on startup when the burp-awesome-tls extension is enabled.

Burp Suite Version

Burp Suite Community Edition v2024.1.1.6

Extension Version

v1.2.0

Java Version

Java 21

Additional Information

--diagnostics flag output

--------------------------------------------------------------------------------------------------------- SYSTEM PROPERTIES --------------------------------------------------------------------------------------------------------- awt.dnd.drag.threshold 15 com.sun.net.ssl.requireCloseNotify false file.encoding UTF-8 file.separator \ flatlaf.uiScale.enabled false java.class.path burpsuite_community.jar java.class.version 65.0 java.home D:\Programme\Java java.io.tmpdir C:\Users\Nabil\AppData\Local\Temp\ java.library.path D:\Programme\Java\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Program Files\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\Program Files\NVIDIA Corporation\NVIDIA NvDLISR;C:\Program Files\Mullvad VPN\resources;C:\Program Files\Git\cmd;C:\Program Files\Go\bin;C:\Users\Nabil\AppData\Local\Programs\Python\Launcher\;C:\Users\Nabil\AppData\Local\Microsoft\WindowsApps;C:\Users\Nabil\AppData\Local\Programs\Microsoft VS Code\bin;C:\Users\Nabil\go\bin;. java.runtime.name Java(TM) SE Runtime Environment java.runtime.version 21.0.2+13-LTS-58 java.specification.name Java Platform API Specification java.specification.vendor Oracle Corporation java.specification.version 21 java.vendor Oracle Corporation java.vendor.url https://java.oracle.com/ java.vendor.url.bug https://bugreport.java.com/bugreport/ java.version 21.0.2 java.version.date 2024-01-16 java.vm.compressedOopsMode Zero based java.vm.info mixed mode, sharing java.vm.name Java HotSpot(TM) 64-Bit Server VM java.vm.specification.name Java Virtual Machine Specification java.vm.specification.vendor Oracle Corporation java.vm.specification.version 21 java.vm.vendor Oracle Corporation java.vm.version 21.0.2+13-LTS-58 jdk.debug release jdk.tls.allowUnsafeServerCertChange true jdk.tls.maxCertificateChainLength 1337 native.encoding Cp1252 org.bouncycastle.jsse.client.dh.minimumPrimeBits 1024 org.bouncycastle.jsse.client.dh.unrestrictedGroups true os.arch amd64 os.name Windows 10 os.version 10.0 path.separator ; stderr.encoding cp850 stdout.encoding cp850 sun.arch.data.model 64 sun.awt.enableExtraMouseButtons true sun.boot.library.path D:\Programme\Java\bin sun.cpu.endian little sun.cpu.isalist amd64 sun.io.unicode.encoding UnicodeLittle sun.java.command burpsuite_community.jar --diagnostics sun.java.launcher SUN_STANDARD sun.jnu.encoding Cp1252 sun.management.compiler HotSpot 64-Bit Tiered Compilers sun.os.patch.level user.country DE user.dir D:\Programme\BurpSuiteCommunity user.home C:\Users\Nabil user.language de user.name Nabil user.script user.timezone Europe/Berlin user.variant

SYSTEM RESOURCES

Number of processors 8
Total JVM memory 108 MiB
Max JVM memory 3,98 GiB
Free JVM memory 66,09 MiB

Total physical memory 15,93 GiB
Free physical memory 8,67 GiB
Total swap 22,18 GiB
Free swap 10,45 GiB

BURP PROPERTIES

Burp Version 2024.1.1.6
Build Number 27682
Product Name Burp Suite Community Edition
Burp Browser [version=122.0.6261.112, installationPath=D:\Programme\BurpSuiteCommunity\burpbrowser\122.0.6261.112]
Code source D:\Programme\BurpSuiteCommunity\burpsuite_community.jar
Debug ID qdov1t0g9oecadiq8zvq:o3bq
JAR type Installer
currenttimemillis 1710591326552
nanotime 73352300819000

---

Thank you for your assistance.

Awesome TLS error: create spec from client hello: FingerprintClientHello: record is not a handshake

Errors

java.lang.NumberFormatException: Cannot parse null string
at java.base/java.lang.Integer.parseInt(Integer.java:627)
at java.base/java.lang.Integer.parseInt(Integer.java:781)
at burp.Settings.getHttpTimeout(Settings.java:68)
at burp.SettingsTab.(SettingsTab.java:44)
at burp.BurpExtender.registerExtenderCallbacks(BurpExtender.java:33)
at burp.Zx5.ZS(Unknown Source)
at burp.Zcp_.Zc(Unknown Source)
at burp.Zcpk.lambda$initialiseOnNewThread$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1623)
a

Unable to load library on Ubuntu

Hi,

In burp I get an error like "Failed to connect to 127.0.0.1:8888"

the server is not started obviously.

Also, when I unload the extension I get an error like

java.lang.ExceptionInInitializerError: Exception java.lang.UnsatisfiedLinkError: Unable to load library 'server.so':
server.so: cannot open shared object file: No such file or directory
server.so: cannot open shared object file: No such file or directory
Native library (linux-x86-64/server.so) not found in resource path ([file:/tmp/burp9901995054636778576.tmp/32]) [in thread "Thread-19"]
	at com.sun.jna.NativeLibrary.loadLibrary(NativeLibrary.java:301)
	at com.sun.jna.NativeLibrary.getInstance(NativeLibrary.java:461)
	at com.sun.jna.Library$Handler.<init>(Library.java:192)
	at com.sun.jna.Native.load(Native.java:622)
	at com.sun.jna.Native.load(Native.java:596)
	at burp.ServerLibrary.<clinit>(ServerLibrary.java:8)
	at burp.BurpExtender.lambda$registerExtenderCallbacks$0(BurpExtender.java:36)
	at java.base/java.lang.Thread.run(Thread.java:1589)

Does this plugin have specific requirements for Java versions and Burp versions? I'm experiencing crashes when installing both the fat version and the Windows x64 version of the release on Burp 2023.10.3.6 with Java 17.0.99.

Unable to load library 'server.dylib'

After loading the extension in Burp, the following error is shown in stdout:

dlopen(libserver.dylib.dylib, 0x0009): tried: 'libserver.dylib.dylib' (relative path not allowed in hardened program), '/usr/lib/libserver.dylib.dylib' (no such file)
dlopen(libserver.dylib.dylib, 0x0009): tried: 'libserver.dylib.dylib' (relative path not allowed in hardened program), '/usr/lib/libserver.dylib.dylib' (no such file)
Native library (darwin-x86-64/libserver.dylib.dylib) not found in resource path ([file:/var/folders/hn/_pcv7pl154bbns24yhwjt05c0000gn/T/burp10831821168041598492.tmp/2])
	at com.sun.jna.NativeLibrary.loadLibrary(NativeLibrary.java:301)
	at com.sun.jna.NativeLibrary.getInstance(NativeLibrary.java:461)
	at com.sun.jna.Library$Handler.<init>(Library.java:192)
	at com.sun.jna.Native.load(Native.java:622)
	at com.sun.jna.Native.load(Native.java:596)
	at burp.ServerLibrary.<clinit>(ServerLibrary.java:8)
	at burp.BurpExtender.lambda$registerExtenderCallbacks$0(BurpExtender.java:36)
	at java.base/java.lang.Thread.run(Thread.java:833)
	Suppressed: java.lang.UnsatisfiedLinkError: dlopen(libserver.dylib.dylib, 0x0009): tried: 'libserver.dylib.dylib' (relative path not allowed in hardened program), '/usr/lib/libserver.dylib.dylib' (no such file)
		at com.sun.jna.Native.open(Native Method)
		at com.sun.jna.NativeLibrary.loadLibrary(NativeLibrary.java:191)
		... 7 more
	Suppressed: java.lang.UnsatisfiedLinkError: dlopen(libserver.dylib.dylib, 0x0009): tried: 'libserver.dylib.dylib' (relative path not allowed in hardened program), '/usr/lib/libserver.dylib.dylib' (no such file)
		at com.sun.jna.Native.open(Native Method)
		at com.sun.jna.NativeLibrary.loadLibrary(NativeLibrary.java:204)
		... 7 more
	Suppressed: java.io.IOException: Native library (darwin-x86-64/libserver.dylib.dylib) not found in resource path ([file:/var/folders/hn/_pcv7pl154bbns24yhwjt05c0000gn/T/burp10831821168041598492.tmp/2])
		at com.sun.jna.Native.extractFromResourcePath(Native.java:1145)
		at com.sun.jna.NativeLibrary.loadLibrary(NativeLibrary.java:275)
		... 7 more

OS: macOS 12.6 (Intel)
Burp version: v2022.8.4 CE
Using Burp-Awesome-TLS-macos-amd64.jar from release v0.0.2-rc.2

Error: open ca.der: permission denied

Using Burp Suite Pro v2023.10.1.2 on an ubuntu 22 VM, when attempting to load the extention I get the following error:

What directory are these files created in? I looked in certificate.go but couldn't find it. If I know the target directory I can just chown it and that should fix this issue.

Update HTTP/TLS implementation

We should look into using a better maintained TLS spoofing library such as https://github.com/bogdanfinn/tls-client so we don't have to do so ourselves.

Awesome TLS error: create spec from client hello: FingerprintClientHello: unsupported extension 65037

copy client hello record as hex stream and paste it into the field "Hex Client Hello"

Awesome TLS error: create spec from client hello: FingerprintClientHello: unsupported extension 65037

Build cross platform .jar files

Ideally, instead of having a release that looks like this

burp-awesome-tls.jar
*-server.dll
*-server.so
*-server.dylib

We should have something like this:

burp-awesome-tls-linux-x64.jar
burp-awesome-tls-win-x64.jar

This is much more user friendly.

Thinking further, we could also release an actual cross platform 'fat jar' burp-awesome-tls-fat.jar that contains all server binaries for all supported platforms (i.e. most popular win, mac and linux). This jar would be significantly bigger in size, but it would work everywhere and could be dragged around on an USB stick for example.

I'm not sure how this build process should look like though. I think we'd need something like this, unless I'm missing something obvious:

go build action builds all binaries and places them in ./src-go/server/build
a custom script copies each binary into src/java/resources with the correct JNA {OS}-{ARCH} folder name and builds the jar file each time one gets copied, plus cleans up afterwards (i.e delete the resources/{OS}-{ARCH} that was created)
a custom script copies all binaries to resources and builds the fatjar

Self signed certificate and not working port

Hello! I configured Awesome TLS like this:

And in my browser i've set proxy settings like this:

When i try to open google.com via firefox developer, im getting error: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT.
Then i installed ca.der from this plugin to Firefox's certificate storage, and i'm getting following error: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY.

How to configure plugin to work?

Windows 11 Pro (x64)
Burp Suite Professional 2023.12.1.2
JDK 18
Using 1.2.0 fat version of plugin.

	for k, _ := range res.Header {
	v := res.Header.Get(k)
	w.Header().Set(k, v)
	}