Repository files navigation

Licensed under theGNU General Public License, Version 3.0 (the "License"). You may not use this tool except in compliance with the License.You may obtain a copy of the License athttps://www.gnu.org/licenses/gpl-3.0.html

The Cyber Security Transformation Chef (CSTC) is aBurp Suite extension. It is build for security experts toextendBurp Suite for chaining simple operations on each incoming or outgoingHTTP message.It can also be used to quickly apply custom formatting on each message.

Burp Suite is a general known software which providesa wide area of tools and functionality for conducting web application penetrationtests. One problem often encountered when usingBurp Suite for certain types ofweb applications is the lack of quick extensibility or the capabilityof conducting basic operations on incoming or outgoing messages.Burp Suite provides some functionality which can be used to adapt to certain scenarios(i.e. themacro feature), however it is a time consuming process, difficult to learn and error-prone.

With the years we developed a software which provides a GUI which is adapted from the well knownCyberChef, providing several small operations which can be chainedto conduct a complicated input transformation. The extension eliminatesthe need of having several plugins for input and output transformations because it is build in a more generic way.

CSTC is especially useful for using already existing capabilities ofBurp Suite Professional (Burp Scanner,Backslash Powered Scanner, ...)on web applications using client side calculatedMACs, sequence numbers, or similar protections for request validation.However,CSTC does also perfectly interoperate with otherBurp Suite features that are available in theCommunity Edition (Repeater,Intruder, ...).

It is also a great help for analyzing obfuscatedHTTP based protocols because it can be used to de- and reobfuscate network trafficpassing through the proxy. In this way, the analyst can concentrate on the task of finding vulnerabilitiesinstead of writing a new extension for removing the obfuscation.

The plugin has been successfully tested and decreased the time for performing tedious input and output transformations onHTTP messages.

CSTC can be used with eitherBurp Suite Community Edition orBurp Suite Professional.

CSTC is available inside theBurp Extension Storage (BApp Store) and listed under the nameCSTC, Modular HTTP Manipulator.Recently we observed some functionality issues when installingCSTC viaBApp Store. These should be fixed by now, but if youencounter additional problems you may want to installCSTC manually.

We suggest to pull the source code and build it yourself, because you should never trust binariesand should always review the code which is used in a productive setting.

However, you can also pull a release fromGitHub and install it by adding it toBurp Suite.

Build Process

The build process is fairly easy. It currently requires a installedJDK andMaven to build.You can build the extension with the following commands:

$ git clone https://github.com/usdAG/cstc.git$ cd cstc$ mvn package

Maven will automatically load the dependencies for building the extension and will buildaJar containing all these dependencies. The created Jar fileCSTC-X.X.X-jar-with-dependencies in thetarget directory can beinstalled inBurp Suite using theExtender->Add->Extensiontype-java feature.

The tool uses a GUI which basic idea is similar to theCyberChef. However, it introducesa new concept which we calllanes. The output of aCSTC transformation is always determinedfrom the the lastlane which has an active operation. This initially takes getting used to, but quickly feels intuitive.Take a look at our basic tutorial onYouTube and make sure to read our initialCSTCblog post.

UPDATE: Due to some incompatibility issues when installingCSTC viaBApp Store, we had to switch to a new variable prefix.Variables from otherlanes have now to be prefixed by$ e.g. like$Outgoing_step1.

Requests and responses pass through the extensions in the order that they are listed, from top to bottom (as describedhere).Depending on the extensions in use, it may make sense to adjust the position of the CSTC. If you want to process a request manipulated by the CSTC in another extension,the CSTC should be positioned above this extension. Conversely, the CSTC should be positioned below an extension if the CSTC is to work with the response processed by the extension in question.Currently the Burp Montoya API doesn't offer a way to change this order automatically, therefore the CSTC cannot influence the interaction with other extensions itself.

We gladly appreciate all feedback, bug reports and feature requests.Please understand that this tool is under active development and therefore willprobably contain some bugs :)