Proper way to use Mallet with BurpSuite? [CloudFlare sites returning 505 HTTP Version Not Supported]

[ssstonebraker]

I think the tool is really cool but wanted a little direction for the proper way to use it with burp suite.

I am running mallet on Kali like this:

java -cp "target/mallet-1.0-SNAPSHOT.jar:target/dependency/*" com.sensepost.mallet.Main

Burp Suite Configuration:

• Proxy Listener Interface: 127.0.0.1:8080
• Upstream Proxy Servers: none
• SOCKS Proxy:
  • Use SOCKS Proxy: checked
  • SOCKS proxy host: 127.0.0.1
  • SOCKS proxy port: 1080
  • Do DNS lookups over SOCKS proxy: checked

This is what I have noticed:

1. Requests to regular websites work fine and are proxied through burp suite
2. Some CloudFlare sites such as icanhazip.com and https://blazor.syncfusion.com/demos/ (which are still proxied through) return the response:

Server: cloudflare
Date: Fri, 23 May 2025 22:46:30 GMT
Content-Type: text/html
Content-Length: 185
Connection: close
CF-RAY: -

<html>
<head><title>505 HTTP Version Not Supported</title></head>
<body>
<center><h1>505 HTTP Version Not Supported</h1></center>
<hr><center>cloudflare</center>
</body>
</html>

Output from when I ran mallet and requested icanhazip.com via burpsuite:

$ java -cp "target/mallet-1.0-SNAPSHOT.jar:target/dependency/*" com.sensepost.mallet.Main
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/home/steve/git/mallet/target/slf4j-jdk14-1.7.21.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/home/steve/git/mallet/target/dependency/slf4j-jdk14-1.7.21.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.JDK14LoggerFactory]
Adding handler 1(io.netty.handler.logging.LoggingHandler@498e4dba) to pipeline DefaultChannelPipeline{(ServerBootstrap$1#0 = io.netty.bootstrap.ServerBootstrap$1), (Graph$5#0 = com.sensepost.mallet.graph.Graph$5)}
Adding handler 0(com.sensepost.mallet.graph.LoopDetectingHandler@1c73565a) to pipeline DefaultChannelPipeline{(ServerBootstrap$1#0 = io.netty.bootstrap.ServerBootstrap$1), (Graph$5#0 = com.sensepost.mallet.graph.Graph$5), (LoggingHandler#0 = io.netty.handler.logging.LoggingHandler)}
May 23, 2025 10:50:21 PM io.netty.util.internal.logging.AbstractInternalLogger log
INFO: [id: 0x1280bc55] REGISTERED
May 23, 2025 10:50:21 PM io.netty.util.internal.logging.AbstractInternalLogger log
INFO: [id: 0x1280bc55] BIND: localhost/127.0.0.1:1080
May 23, 2025 10:50:21 PM io.netty.util.internal.logging.AbstractInternalLogger log
INFO: [id: 0x1280bc55, L:/127.0.0.1:1080] ACTIVE
LOOP< []
LOOP< /127.0.0.1:1080
May 23, 2025 10:50:37 PM io.netty.util.internal.logging.AbstractInternalLogger log
INFO: [id: 0x1280bc55, L:/127.0.0.1:1080] READ: [id: 0x3acc8362, L:/127.0.0.1:1080 - R:/127.0.0.1:48914]
May 23, 2025 10:50:37 PM io.netty.util.internal.logging.AbstractInternalLogger log
INFO: [id: 0x1280bc55, L:/127.0.0.1:1080] READ COMPLETE
LOOP> icanhazip.com/104.16.185.241:443
LOOP< [icanhazip.com/104.16.185.241:443]
LOOP< /127.0.0.1:1080
May 23, 2025 10:50:38 PM io.netty.util.internal.logging.AbstractInternalLogger log
INFO: [id: 0x1280bc55, L:/127.0.0.1:1080] READ: [id: 0xc2672df2, L:/127.0.0.1:1080 - R:/127.0.0.1:48916]
May 23, 2025 10:50:38 PM io.netty.util.internal.logging.AbstractInternalLogger log
INFO: [id: 0x1280bc55, L:/127.0.0.1:1080] READ COMPLETE
LOOP> icanhazip.com/104.16.185.241:443
LOOP< [icanhazip.com/104.16.185.241:443]
LOOP< /127.0.0.1:1080
May 23, 2025 10:50:39 PM io.netty.util.internal.logging.AbstractInternalLogger log
INFO: [id: 0x1280bc55, L:/127.0.0.1:1080] READ: [id: 0xda6d27cb, L:/127.0.0.1:1080 - R:/127.0.0.1:48918]
May 23, 2025 10:50:39 PM io.netty.util.internal.logging.AbstractInternalLogger log
INFO: [id: 0x1280bc55, L:/127.0.0.1:1080] READ COMPLETE
LOOP> icanhazip.com/104.16.185.241:443

Additional note:
If i load messagepack.mxe and try to load either of the sites mentioned before, the sites return 403 Forbidden.

Info about my setup:
Java Version:

steve@kali:~/git/mallet] $ java --version
openjdk 17.0.10 2024-01-16
OpenJDK Runtime Environment (build 17.0.10+7-Debian-1)
OpenJDK 64-Bit Server VM (build 17.0.10+7-Debian-1, mixed mode, sharing)

Maven Version:

[steve@kali:~/git/mallet] $ mvn --version
Apache Maven 3.9.9
Maven home: /usr/share/maven
Java version: 17.0.10, vendor: Debian, runtime: /usr/lib/jvm/java-17-openjdk-amd64
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "6.8.11-amd64", arch: "amd64", family: "unix"

Distribution:

[steve@kali:~/git/mallet] $ uname -a
Linux kali 6.8.11-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.8.11-1kali2 (2024-05-30) x86_64 GNU/Linux
[steve@kali:~/git/mallet] $ ls libext/
jackson-databind-2.8.11.1.jar  jackson-dataformat-msgpack-0.9.0.jar  msgpack-core-0.9.0.jar
[steve@kali:~/git/mallet] $ 

Any assistance would be appreciated!

[RoganDawes]

Thanks for trying Mallet. Hopefully I can help you bend it to your will :-)

In general, Mallet does nothing without a meaningful graph. The default graph is just relaying traffic from source to destination, after an initial SOCKS(4/5) negotiation. If the client is sending TLS traffic, then Mallet will not be able to see decrypted data, simple as that. In particular, this means that there is no modification of the bytes passing through, and therefore, any "method not allowed" messages you see from Cloudflare would have happened without Mallet in line.

The implication is that you then need to construct a graph that processes the bytes in some way or another for Mallet to be useful. The default graph is enough to show you what traffic is passing through (i.e. connection to IP A, port B), but that is about it.

So, I'll refer you to the blog post I wrote (that you have probably already seen, hence wanting to use Mallet and Blazor together): https://sensepost.com/blog/2023/decoding-blazorpack/

In particular, you probably want to start with the messagepack.mxe example graph: https://github.com/sensepost/mallet/blob/master/examples/messagepack.mxe

Just to note that the provided graph really only provides a read-only implementation of a MessagePack proxy. I never tried tampering with any fields, and another user who did try reported that connections were immediately dropped when he did. This suggests that there is some sort of checksum that needs to be updated on any changes to ensure consistency. I presume that the Burp BlazorPack plugin has already figured this out!

All that said, while you can combine Mallet and Burp Suite, there probably isn't much point. Burp Suite already has a BlazorPack plugin, which is actually more functional than Mallet is at the moment, I believe. Mallet can probably offer more flexible automation of changes once you solve the checksum hurdle, but that will be some initial work for you to do before you can actually start using Mallet.

I'm happy to assist you to figure out the details if you do wish to continue down this path.