Professional Community

CSTC, Modular HTTP Manipulator

CSTC is a powerful HTTP message manipulation extension that brings CyberChef-like transformation capabilities directly into Burp Suite. This extension enables security professionals to define custom recipes that automatically transform outgoing and incoming HTTP requests and responses, making it invaluable for testing applications with complex authentication schemes, custom protocols, or obfuscated traffic.

Features

  • Lane-based transformation system allowing sequential operation chaining
  • Over 100+ built-in operations across 16 categories including encryption, hashing, encoding, extractors, and string manipulation
  • Automatic HTTP message processing for Scanner, Intruder, Repeater, and Proxy tools
  • Variable extraction and reuse between different transformation lanes
  • Custom formatting tab in HTTP message editors for testing and visualization
  • Context menu integration for quick recipe application
  • Request filtering based on URL patterns, HTTP methods, and other criteria
  • State persistence across Burp Suite sessions (Professional edition)

Usage

  1. Configure transformation recipes in the CSTC tab using the three main panels: Outgoing (request modification), Incoming (response processing), and Formatting (visualization only)
  2. Add operations from the operations list by dragging or double-clicking to build your transformation chain
  3. Configure operation parameters and use variables (prefixed with $) to reference data from other lanes
  4. Enable the desired recipe panels and configure request filters to specify which traffic should be processed
  5. Monitor transformations in real-time as HTTP messages pass through Burp Suite tools
  6. Use the CSTC Formatting tab in message editors to test recipes without modifying actual traffic

Take a look at a basic tutorial on YouTube or dive into the written introduction to the tool.

Author

Author

usdAG

Version

Version

1.3.6

Rating

Rating

Popularity

Popularity

Last updated

Last updated

05 September 2025

Estimated system impact

Estimated system impact

Overall impact: Low

Memory
Low
CPU
Low
General
Low
Scanner
Low

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for all BApp Store extensions on our GitHub page.

Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore

Note:

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.