{"id":13636291,"url":"https://github.com/usdAG/cstc","last_synced_at":"2025-04-19T08:31:54.012Z","repository":{"id":39797372,"uuid":"195959897","full_name":"usdAG/cstc","owner":"usdAG","description":"CSTC is a Burp Suite extension that allows request/response modification using a GUI analogous to CyberChef ","archived":false,"fork":false,"pushed_at":"2024-11-08T10:48:09.000Z","size":26001,"stargazers_count":216,"open_issues_count":1,"forks_count":26,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-11-08T11:33:00.605Z","etag":null,"topics":["burp-extensions","burp-plugin","burpsuite","cyberchef","encoding","extender","java","transformation"],"latest_commit_sha":null,"homepage":"https://herolab.usd.de/news-cyber-security-transformation-chef/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/usdAG.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-07-09T07:51:38.000Z","updated_at":"2024-11-06T04:13:00.000Z","dependencies_parsed_at":"2023-02-19T06:31:34.396Z","dependency_job_id":"18ecf071-b1b8-4a08-bf35-d7452b391320","html_url":"https://github.com/usdAG/cstc","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/usdAG%2Fcstc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/usdAG%2Fcstc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/usdAG%2Fcstc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/usdAG%2Fcstc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/usdAG","download_url":"https://codeload.github.com/usdAG/cstc/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223795215,"owners_count":17204132,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["burp-extensions","burp-plugin","burpsuite","cyberchef","encoding","extender","java","transformation"],"created_at":"2024-08-02T00:00:59.560Z","updated_at":"2025-04-19T08:31:53.989Z","avatar_url":"https://github.com/usdAG.png","language":"Java","readme":"\n*Copyright 2017-2025 usd AG*\n\nLicensed under the *GNU General Public License, Version 3.0* (the \"License\"). You may not use this tool except in compliance with the License.\nYou may obtain a copy of the License at https://www.gnu.org/licenses/gpl-3.0.html\n\n![CSTC](media/CSTC_White_Smaller.png)\n\n![](https://github.com/usdAG/cstc/workflows/master%20maven%20CI/badge.svg?branch=master)\n![](https://github.com/usdAG/cstc/workflows/develop%20maven%20CI/badge.svg?branch=develop)\n\n# Cyber Security Transformation Chef\n\n*The Cyber Security Transformation Chef* (*CSTC*) is a *Burp Suite* extension. It is build for security experts to\nextend *Burp Suite* for chaining simple operations on each incoming or outgoing *HTTP* message.\nIt can also be used to quickly apply custom formatting on each message.\n\n![CSTC-Workflow](media/CSTC_Workflow.gif)\n\n## Introduction\n\n[Burp Suite](https://portswigger.net/) is a general known software which provides\na wide area of tools and functionality for conducting web application penetration\ntests. One problem often encountered when using *Burp Suite* for certain types of\nweb applications is the lack of quick extensibility or the capability\nof conducting basic operations on incoming or outgoing messages.\n*Burp Suite* provides some functionality which can be used to adapt to certain scenarios\n(i.e. the *macro feature*), however it is a time consuming process, difficult to learn and error-prone.\n\nWith the years we developed a software which provides a GUI which is adapted from the well known\n[CyberChef](https://gchq.github.io/CyberChef/), providing several small operations which can be chained\nto conduct a complicated input transformation. The extension eliminates\nthe need of having several plugins for input and output transformations because it is build in a more generic way.\n\n*CSTC* is especially useful for using already existing capabilities of *Burp Suite Professional* (*Burp Scanner*, *Backslash Powered Scanner*, ...)\non web applications using client side calculated *MACs*, sequence numbers, or similar protections for request validation.\nHowever, *CSTC* does also perfectly interoperate with other *Burp Suite* features that are available in the *Community Edition* (*Repeater*, *Intruder*, ...).\n\nIt is also a great help for analyzing obfuscated *HTTP* based protocols because it can be used to de- and reobfuscate network traffic\npassing through the proxy. In this way, the analyst can concentrate on the task of finding vulnerabilities\ninstead of writing a new extension for removing the obfuscation.\n\nThe plugin has been successfully tested and decreased the time for performing tedious input and output transformations on *HTTP* messages.\n\n## Prerequisites\n\n*CSTC* can be used with either *Burp Suite Community Edition* or *Burp Suite Professional*.\n\n## Installation\n\n*CSTC* is available inside the *Burp Extension Storage* (*BApp Store*) and listed under the name *CSTC, Modular HTTP Manipulator*. \nRecently we observed some functionality issues when installing *CSTC* via *BApp Store*. These should be fixed by now, but if you \nencounter additional problems you may want to install *CSTC* manually.\n\nWe suggest to pull the source code and build it yourself, because you should never trust binaries\nand should always review the code which is used in a productive setting.\n\nHowever, you can also pull a release from *GitHub* and install it by adding it to *Burp Suite*.\n\n**Build Process**\n\nThe build process is fairly easy. It currently requires a installed *JDK* and *Maven* to build.\nYou can build the extension with the following commands:\n\n```\n$ git clone https://github.com/usdAG/cstc.git\n$ cd cstc\n$ mvn package\n```\n\n*Maven* will automatically load the dependencies for building the extension and will build\na *Jar* containing all these dependencies. The created Jar file ``CSTC-X.X.X-jar-with-dependencies`` in the ``target`` directory can be \ninstalled in *Burp Suite* using the ``Extender-\u003eAdd-\u003eExtensiontype-java`` feature.\n\n## Usage\n\nThe tool uses a GUI which basic idea is similar to the [CyberChef](https://gchq.github.io/CyberChef/). However, it introduces\na new concept which we call *lanes*. The output of a *CSTC* transformation is always determined\nfrom the the last *lane* which has an active operation. This initially takes getting used to, but quickly feels intuitive.\nTake a look at our basic tutorial on [YouTube](https://www.youtube.com/watch?v=BUXvWfb_YWU) and make sure to read our initial\n*CSTC* [blog post](https://herolab.usd.de/news-cyber-security-transformation-chef/).\n\n**UPDATE:** Due to some incompatibility issues when installing *CSTC* via *BApp Store*, we had to switch to a new variable prefix.\nVariables from other *lanes* have now to be prefixed by ``$`` e.g. like ``$Outgoing_step1``.\n\n## FAQ\n\n### How does the CSTC interact with other Extensions?\n\nRequests and responses pass through the extensions in the order that they are listed, from top to bottom (as described [here](https://portswigger.net/burp/documentation/desktop/extensions/managing-extensions)).\nDepending on the extensions in use, it may make sense to adjust the position of the CSTC. If you want to process a request manipulated by the CSTC in another extension,\nthe CSTC should be positioned above this extension. Conversely, the CSTC should be positioned below an extension if the CSTC is to work with the response processed by the extension in question.\nCurrently the Burp Montoya API doesn't offer a way to change this order automatically, therefore the CSTC cannot influence the interaction with other extensions itself.\n\n### What is the *Formatting* tab in the CSTC about?\n\nThe *CSTC Formatting* tab is available in all of Burp's HTTP message editors and shows the result of applying the recipe currently defined in *Formatting* to the content. It has purely a visual effect, the underlying message is not changed. It is intended for testing recipes and for temporarily visualizing changes to the HTTP message using the operations available in the CSTC.\n\nOnly the HTTP request message editor in the *Repeater* has an additional tab called *CSTC*. Here, the recipe currently defined in *Outgoing* is applied to the request, making it visible how the request is sent to the server **if** the CSTC is activated for the *Repeater*.\n\n## Feedback\n\nWe gladly appreciate all feedback, bug reports and feature requests.\nPlease understand that this tool is under active development and therefore will\nprobably contain some bugs :)\n","funding_links":[],"categories":["Beautifiers and Decoders","Java","Java (504)"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FusdAG%2Fcstc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FusdAG%2Fcstc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FusdAG%2Fcstc/lists"}