CSTC, Modular HTTP Manipulator

Imagine GCHQ's CyberChef integrated in BurpSuite with live modification of requests at your fingertips. That's exactly what we had in mind when we built the Cyber Security Transformation Chef (CSTC) a few years ago. The CSTC is an extension to the popular BurpSuite Proxy built for experts working with web applications. It enables users to define recipes that are applied to outgoing or incoming HTTP requests/ responses automatically. Whatever quirks and specialties an application might challenge you with during an assessment, the CSTC has you covered. Furthermore, it allows to quickly apply custom formatting to a chosen message, if a more detailed analysis is needed.

As an example, imagine an API that requires an HMAC appended to all messages derived from datapoints inside the message body. With the CSTC you can extract the necessary datapoints with ease and calculate the HMAC on the fly. Together with the CSTCs integration into all major BurpSuite components you can now perform automatic intrusion tests with the Scanner, or manual fuzzing using Intruder and Repeater, without worrying about the HMAC any longer. Another use case is to extract JWTs from incoming HTTP responses and use them in outgoing requests of the Scanner. This eliminates the need to worry about expiring JWTs while scanning.

The tool uses a GUI which basic idea is similar to the CyberChef. However, it introduces a new concept which we call lanes. The output of a CSTC transformation is always determined from the the last lane which has an active operation. This initially takes getting used to, but quickly feels intuitive.

Take a look at our basic tutorial on YouTube or dive into the written introduction to the tool.