1. Support Center
  2. BApp Store
  3. CSTC, Modular HTTP Manipulator
Professional Community

CSTC, Modular HTTP Manipulator


With the years we developed a software which provides a GUI which is adapted from the well known CyberChef, providing several small operations which can be chained to conduct a complicated input transformation. The extension eliminates the need of having several plugins for input and output transformations because it is build in a more generic way.

CSTC is especially useful for using already existing capabilities of Burp Suite Professional (Burp Scanner, Backslash Powered Scanner, ...) on web applications using client side calculated MACs, sequence numbers, or similar protections for request validation. However, CSTC does also perfectly interoperate with other Burp Suite features that are available in the Community Edition (Repeater, Intruder, ...).

It is also a great help for analyzing obfuscated HTTP based protocols because it can be used to de- and reobfuscate network traffic passing through the proxy. In this way, the analyst can concentrate on the task of finding vulnerabilities instead of writing a new extension for removing the obfuscation.


The tool uses a GUI which basic idea is similar to the CyberChef. However, it introduces a new concept which we call lanes. The output of a CSTC transformation is always determined from the the last lane which has an active operation. This initially takes getting used to, but quickly feels intuitive. Take a look at our basic tutorial on YouTube and make sure to read our initial CSTC blog post.

Author usdAG
Version 1.2.1
Last updated 10 July 2020

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for this BApp by visiting our GitHub page.
Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.
Download BApp

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore