After loading the extension in Burp, the following error is shown in stdout:

dlopen(libserver.dylib.dylib, 0x0009): tried: 'libserver.dylib.dylib' (relative path not allowed in hardened program), '/usr/lib/libserver.dylib.dylib' (no such file)
dlopen(libserver.dylib.dylib, 0x0009): tried: 'libserver.dylib.dylib' (relative path not allowed in hardened program), '/usr/lib/libserver.dylib.dylib' (no such file)
Native library (darwin-x86-64/libserver.dylib.dylib) not found in resource path ([file:/var/folders/hn/_pcv7pl154bbns24yhwjt05c0000gn/T/burp10831821168041598492.tmp/2])
	at com.sun.jna.NativeLibrary.loadLibrary(NativeLibrary.java:301)
	at com.sun.jna.NativeLibrary.getInstance(NativeLibrary.java:461)
	at com.sun.jna.Library$Handler.<init>(Library.java:192)
	at com.sun.jna.Native.load(Native.java:622)
	at com.sun.jna.Native.load(Native.java:596)
	at burp.ServerLibrary.<clinit>(ServerLibrary.java:8)
	at burp.BurpExtender.lambda$registerExtenderCallbacks$0(BurpExtender.java:36)
	at java.base/java.lang.Thread.run(Thread.java:833)
	Suppressed: java.lang.UnsatisfiedLinkError: dlopen(libserver.dylib.dylib, 0x0009): tried: 'libserver.dylib.dylib' (relative path not allowed in hardened program), '/usr/lib/libserver.dylib.dylib' (no such file)
		at com.sun.jna.Native.open(Native Method)
		at com.sun.jna.NativeLibrary.loadLibrary(NativeLibrary.java:191)
		... 7 more
	Suppressed: java.lang.UnsatisfiedLinkError: dlopen(libserver.dylib.dylib, 0x0009): tried: 'libserver.dylib.dylib' (relative path not allowed in hardened program), '/usr/lib/libserver.dylib.dylib' (no such file)
		at com.sun.jna.Native.open(Native Method)
		at com.sun.jna.NativeLibrary.loadLibrary(NativeLibrary.java:204)
		... 7 more
	Suppressed: java.io.IOException: Native library (darwin-x86-64/libserver.dylib.dylib) not found in resource path ([file:/var/folders/hn/_pcv7pl154bbns24yhwjt05c0000gn/T/burp10831821168041598492.tmp/2])
		at com.sun.jna.Native.extractFromResourcePath(Native.java:1145)
		at com.sun.jna.NativeLibrary.loadLibrary(NativeLibrary.java:275)
		... 7 more

• OS: macOS 12.6 (Intel)
• Burp version: v2022.8.4 CE
• Using Burp-Awesome-TLS-macos-amd64.jar from release v0.0.2-rc.2

If the response contains multiple cookies w/ the same name (such as set-cookie), only one is returned.

Set overwrites the header's value, if a header with that key already exists: https://github.com/sleeyax/burp-awesome-tls/blob/08fce6f79867de4568c1abb4d9690a318ac16820/src-go/server/server.go#L52-L55

Add could be used instead, but maybe instead of looping through all the headers and copying them that way, it would be better to just copy the Header instance from res to w?

optimize:

• upgrade golang to 1.18 in CI
• downgrade JDK to 11 in CI , for more users who is running JDK 11
• introduce more details about build plugins manually, especially for Apple Silicon users who runs an ARM64 JDK instead of amd64 one. remove user identity related string in golang build by introducing -trimpath -ldflags='-s -w' param. Currently, it is still not available for users to compile against Apple M1 automatically due to bugs listed below.

bug fix:

• when load plugin, it will tells you in Settings.java :

    public int getTimeout() {
        return Integer.parseInt(this.read(this.timeout));
    }

number conversion failed due to timeout is NULL. Since I'm not that familiar with Burp extension development, but I think it might because it only allows all settings in String instead of int here. So I change the Settings.timeout to String and removed redundant type conversion.

HOWEVER

There are still bugs here:

• unload extension will result in:

java.lang.NoClassDefFoundError: Could not initialize class burp.ServerLibrary
	at burp.BurpExtender.extensionUnloaded(BurpExtender.java:76)
	at burp.c6o.h(Unknown Source)
	at burp.izp.b(Unknown Source)
	at burp.a8_.lambda$toggleLoadedState$1(Unknown Source)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)

• server.dylib is loaded, but no port get listened. I have no idea how to debugging it.

If you could give me some help about fix the bug, I will build a more strong auto build script to help all of us.

Thanks for your excellent idea.

java.lang.NumberFormatException: Cannot parse null string at java.base/java.lang.Integer.parseInt(Integer.java:627) at java.base/java.lang.Integer.parseInt(Integer.java:781) at burp.Settings.getTimeout(Settings.java:52) at burp.SettingsTab.(SettingsTab.java:38) at burp.BurpExtender.registerExtenderCallbacks(BurpExtender.java:33) at burp.zkf.K(Unknown Source) at burp.u2d.O(Unknown Source) at burp.u29.lambda$initialiseOnNewThread$0(Unknown Source) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) at java.base/java.lang.Thread.run(Thread.java:1589)

Second fix for multi-value headers (#17).

The fix can be tested using: http://httpbin.org/cookies/set?cookie_1=c_1&cookie_2=c_2

Before fix:

After fix:

Ideally, instead of having a release that looks like this

• burp-awesome-tls.jar
• *-server.dll
• *-server.so
• *-server.dylib

We should have something like this:

• burp-awesome-tls-linux-x64.jar
• burp-awesome-tls-win-x64.jar

This is much more user friendly.

Thinking further, we could also release an actual cross platform 'fat jar' burp-awesome-tls-fat.jar that contains all server binaries for all supported platforms (i.e. most popular win, mac and linux). This jar would be significantly bigger in size, but it would work everywhere and could be dragged around on an USB stick for example.

I'm not sure how this build process should look like though. I think we'd need something like this, unless I'm missing something obvious:

• go build action builds all binaries and places them in ./src-go/server/build
• a custom script copies each binary into src/java/resources with the correct JNA {OS}-{ARCH} folder name and builds the jar file each time one gets copied, plus cleans up afterwards (i.e delete the resources/{OS}-{ARCH} that was created)
• a custom script copies all binaries to resources and builds the fatjar

Possible fields:

• Remote server connection URL
• TLS fingerprint
  • Chrome
  • Firefox
  • iOS Safari
  • Android Chrome
  • Android okhttp
  • Charles
• Custom fingerprint from wireshark capture
• Other customizable UTLS settings

We should consider how to pass settings from UI to the backend server. Perhaps we could keep it simple and just pass in a header with JSON serialized settings and then remove that header at the backend so it doesn't get sent to the destination host.

We must be able to distribute cross-platform jar files targetting win, mac, linux. Each jar file should include one server library built for the target platform.

Alternatively we could distribute backend and frontend separately. Thus we end up having cross platform jar files for the frontend and cross platform binaries for the backend. This method is less portable but results in smaller jar files. Plus the server can update independently this way.

The backend server should support SSL/TLS for security reasons. Certificates should be automatically generated for additional security. We could use code from gomitmproxy for this (with proper credit, of course!).

Hi, I have problems with tls on some sites: RoundTrip: x509: certificate name does not match input. Can we add "InsecureSkipVerify: true" to tls config here? https://github.com/sleeyax/burp-awesome-tls/blob/main/src-go/server/roundtripper.go#L84

After loading the module and sending an HTTP request to the listener it crashes the whole BURP. Burp version: 2022.9.1(Professional) Java 17 os: Ubuntu 22.04

If you compare the response header order of a request with and without the extension enabled, you'll notice it's different.

GET http://httpbin.org/get with extension:

GET http://httpbin.org/get without extension:

Run java 17.0.4 2022-07-19 LTS and I have tried various versions of Java but none of them works. these are errors. Thanks for your contribution. java.lang.NumberFormatException: Cannot parse null string at java.base/java.lang.Integer.parseInt(Integer.java:630) at java.base/java.lang.Integer.parseInt(Integer.java:786) at burp.Settings.getTimeout(Settings.java:52) at burp.SettingsTab.(SettingsTab.java:38) at burp.BurpExtender.registerExtenderCallbacks(BurpExtender.java:33) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at burp.xu1.lambda$registerExtenderCallbacks$0(Unknown Source) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at java.base/java.lang.Thread.run(Thread.java:833)