Response Overview Burp Extension
Today we would like to announce the release of an updated BurpSuite extension in the BApp store.
In the last few months we've been busy improving some of our own tools. One of them was the Response Overview (used to be called "Response Clusterer") Burp extension. We did a complete rewrite from Jython to Kotlin. Jython has some huge compatibility issues inside Burp, just to mention some of them:
Extensions break depending on if Jython version 2.7.0 or 2.7.2 is installed.
Type issues as Jython needs to convert Java arrays to Python string, which is not trivial in deeply-nested objects.
Jython is not available for Python 3, which is okay, but when our extensions grew large, we missed the type hinting feature of Python 3.
Cool features of Kotlin such as null-checking or automatically generated getter and setter methods are missing.
The only real downside we see is that Kotlin extensions need to be compiled before they can be used, whereas changing a line in a Python script is much easier.
This extension groups all response bodies by similarity and shows a summary, one request/response per group. The extension will allow a tester to get an overview of the tested website's responses from all tools (scanner, proxy, etc.). It provides an additional "semi-automated detection method" (compared to the usual detection methods response-based, time-based, interaction-based, etc.).
The new Response Overview extension has some huge memory, performance and UI improvements. This includes being able to sort the overview table as well as hiding items in it.
Moreover, according to Portswigger, this was the first Kotlin-only extension that was submitted to the Burp internal BApp store. They changed their build-pipeline to make sure Kotlin extensions can be auto-built in the future when submitted to the BApp store. So if you write an extension in Kotlin, make sure to have a look at our Github repository. Moreover, include the API files found in the burp-extender-api-kotlin Github repository as we did in the Response Overview extension.
During the journey of learning Kotlin and writing the extension, we encountered two annoying Kotlin compiler bugs. One bug could be circumvented because Portswigger agreed that Kotlin extension can provide their own API files (see above). The other bug was fixed when a new compiler version came out. We still haven't figured out another Serialization bug we encountered. So if you are a Java/Kotlin wizard, we would also be interested to hear from you why the Java Serialization (or rather the deserialization) of the boolean "hidden" flag in the LogEntry class is not working (hidden flag is always false when deserialized).
The Github repository also features more technical information about the extension. The extension can be found in BApp now and the BApp store listing can be found on the Portswigger website.
Have fun with the extension and happy bug hunting!