CSTC, Modular HTTP Manipulator

CSTC is a powerful HTTP message manipulation extension that brings CyberChef-like transformation capabilities directly into Burp Suite. This extension enables security professionals to define custom recipes that automatically transform outgoing and incoming HTTP requests and responses, making it invaluable for testing applications with complex authentication schemes, custom protocols, or obfuscated traffic.

Features

• Lane-based transformation system allowing sequential operation chaining
• Over 100+ built-in operations across 16 categories including encryption, hashing, encoding, extractors, and string manipulation
• Automatic HTTP message processing for Scanner, Intruder, Repeater, and Proxy tools
• Variable extraction and reuse between different transformation lanes
• Custom formatting tab in HTTP message editors for testing and visualization
• Context menu integration for quick recipe application
• Request filtering based on URL patterns, HTTP methods, and other criteria
• State persistence across Burp Suite sessions (Professional edition)

Usage

1. Configure transformation recipes in the CSTC tab using the three main panels: Outgoing (request modification), Incoming (response processing), and Formatting (visualization only)
2. Add operations from the operations list by dragging or double-clicking to build your transformation chain
3. Configure operation parameters and use variables (prefixed with $) to reference data from other lanes
4. Enable the desired recipe panels and configure request filters to specify which traffic should be processed
5. Monitor transformations in real-time as HTTP messages pass through Burp Suite tools
6. Use the CSTC Formatting tab in message editors to test recipes without modifying actual traffic

Take a look at a basic tutorial on YouTube or dive into the written introduction to the tool.