CSTC, Modular HTTP Manipulator

Description:

With the years we developed a software which provides a GUI which is adapted from the well known CyberChef, providing several small operations which can be chained to conduct a complicated input transformation. The extension eliminates the need of having several plugins for input and output transformations because it is build in a more generic way.

CSTC is especially useful for using already existing capabilities of Burp Suite Professional (Burp Scanner, Backslash Powered Scanner, ...) on web applications using client side calculated MACs, sequence numbers, or similar protections for request validation. However, CSTC does also perfectly interoperate with other Burp Suite features that are available in the Community Edition (Repeater, Intruder, ...).

It is also a great help for analyzing obfuscated HTTP based protocols because it can be used to de- and reobfuscate network traffic passing through the proxy. In this way, the analyst can concentrate on the task of finding vulnerabilities instead of writing a new extension for removing the obfuscation.

Usage:

The tool uses a GUI which basic idea is similar to the CyberChef. However, it introduces a new concept which we call lanes. The output of a CSTC transformation is always determined from the the last lane which has an active operation. This initially takes getting used to, but quickly feels intuitive. Take a look at our basic tutorial on YouTube and make sure to read our initial CSTC blog post.