usdag / cstc Goto Github PK

Hi there,

I am trying to use AES Decryption with ECB Mode but the problem is i cannot leave the IV Field to empty and for ECB Mode it doesn't require IV I dont know if there already workaround for this

Hi, It will be nice if it has From_HTML_Entity function because sometimes you need to decode JSON embed in HTML response.

Hello. Love the tool first of all.

I am doing some testing using the upload scanner extension and token jar extension for a site that allows file uploads that are then uploaded to an S3 bucket and retrieveable with an AWSv4 signed URL. So this is a fairly complicated endeavor and I've been struggling to get this to work with a file upload, preflight request to retrieve the download link, and then the redownload requester so that upload scanner can have full visitibility into what is working and what isn't. While this is occurring tokenjar is successfully monitoring all inbound requests and modifying the authorization bearer tokens that i have in each request for upload scanner. After spending a lot of time seeing that CSTC was showing that it was seeing AND modifying my test requests in the configuration tab of the upload scanner (using CSTC tab) - i was convinced that it was working with the checkmark for the Filter option being selected for "Scanner" (I initially thought it needed an "Extender" checkbox). But after spending all of this time trying to figure it out i chained burp to another upstream burp proxy and found out that it was working in those cases - because I had the Filter set for proxy in CSTC In the upstream Burp proxy instance where i had CSTC configured.

Long story short, it does not appear that CSTC is working for all requests but it sure would be handy if it did. Not sure what is being done differently in what an extension like tokenjar is doing https://portswigger.net/bappstore/d9e05bf81c8f4bae8a5b0b01955c5578 but CSTC is missing some for other extensions??

It seems that CSTC (version 1.2.1 from the BApp Store) is currently not able to apply transformations to requests send by Burp Extender.

The recipe save functionality of CSTC is not working for all operations that include checkslists or buttons. This is known and already resolved in the development branch. Just mention it here if somebody else encounters it.

Can support for SM2, SM3, and SM4 be added?

With a simple JSON input like:

{"A": 1}

The extractor fails, since it tries to cast the integer 1 into a String.

Hello - in reference to #32 - I'm just opening another ticket.

CSTC is modifying binary content for situations like file uploads.

I confirmed that my user options were set to raw. There are no project options that have this option, either way it accomplishes the same thing I'd imagine not sure if that was a clerical error on your part or I'm blind. I am on kali linux and have it set to display raw bytes now to confirm and did previously during my first encounter of the problem (restored the project and associated settings).

To reproduce I'd recommend using an upstream proxy (I just chained two burp instances together) so you can see the before and after tab and confirm that it isn't what you are viewing but it is what is actually being sent. That's how I verified what i saw after showing the display being different.

Using version 1.2.1, straight form the BApp store.

There does not currently seem to be a setter for parameters in a multipart/form-data request. Setting those parameters in another way e. g. with string replace is possible, but unnecessarily complicated and brittle. Having a dedicated setter for this would be nice.

Using version 1.2.1 from the BApp store.

Saving and loading recipes does not work correctly. How to reproduce:

1. Create a recipe
2. Save the recipe
3. Modify the recipe in Burp
4. Reload the previous state of the recipe from the file
5. The recipe in Burp is not correctly replaced with the one from the file. Instead, some elements of the recipe from the file get added to the recipe in Burp

need rsa implementation

Using version 1.2.1 from the BApp Store

How to reproduce:

1. create a recipe and disable some of the operations
2. close and re-open Burp
3. the previously disabled operations are enabled now

Inside the different encryption / decryption methods one can select the output / input format by a drop down menu. However, the corresponding selection is not applied.

Arithmetic operations like Multiply or Divide are currently only defined for a list of numbers. It would make sense to define them also for single numbers and let the user supply a number inside of an input field.

Would it be possible to add an operation for changing a string to uppercase? XORing with space works, but removes any numbers from the string in the process.

I think it is kinda confusing to show the CSTC tab with its transformation even if the filter is not activated. It makes the impression, that the request is still being manipulated before sending. I would propose, that the CSTC tab only shows up if it is actually active.

E.g. If "Repeater" is not selected as filter in CSTC, the CSTC tab should not be shown at the Repeater.

Awesome plugin, can't wait to try it, I wish I had it a while ago :)

I spotted what appears to be a small typo: https://github.com/usdAG/cstc/search?q=encrpytion&unscoped_q=encrpytion ;)

The textfield inside the readfile / writefile operations is labeled with Variable name. I guess File name would be a better choice.

Using version 1.2.1 from the BApp store.

CSTC uses the filter window to determine, which Burp tools the transformations are applied to:

Currently, there are kind of two different filter windows: the filters for incoming and outgoing traffic have to be set separately by first selecting the tab for incoming or outgoing traffic in the upper left corner of the screen (see next screenshot) and then selecting the filter button.

At least for me, this is not very intuitive and it is easy to forget. I think it would be better to have a single filter window where the policy can be set for traffic in both directions.

Attention: The XmlFullSignature operation is vulnerable to XXE. This has the following implications:

1. Depending on your use case of CSTC, you are directly vulnerable to this attack. E.g. if you enable CSTC with the XmlFullSignature operation for the proxy, any website you browse is potentially able to exfiltrate local files.
2. The vulnerability may lead to false positive findings for your test subject, as the injection takes place on your machine but may appear to be a vulnerability of your subject.

Work around: Until a fix is available, I would recommend to do not use the vulnerable XmlFullSignature operation.

Proof of Concept

Example Payload:

GET / HTTP/1.1
Host: poc.local
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>&test;</root>

Arrange your lanes as follows:

Vulnerable Code Snippet

Proposed Fix

The DocumentBuilder should be configured to disable external entities:

dbf.setExpandEntityReferences(false);

AS @mschader already mentioned in pull request #4 the handling of raw data (not UTF-8 encoded) is flawed in the current cstc implementation. If raw data is send to cstc, it gets modified automatically by Java due to some superfluous string transformations.

Pull #4 should fix this for the initial part of the cstc workflow, but also all plugins should be checked for this behavior. Furthermore, it should be verified that changes on the encoding (like pull request #4) do not break other functionality.

Hi,

The JSON extractor can only handle simple values, but not more complex structures. It is also not very intuitive to use.

Given the following JSON:

{
    "abc": {
        "def": {
            "ghi": "jkl",
            "mno": "pqr"
        },
        "stu": {
            "vwx": "yza",
            "bcd": "efg"
        }
    }
}

If i want to have the abc.def-Subtree and specify "abc.def" for the extractor, i get the error message "JSON data of unknown type." which is not very descriptive. In fact the extractor does only seem to be able to extract single values, eg. "abc.def.ghi" works and returns the value "jkl".

1. It would be nice to be able to extract whole subtrees with the extractor instead of only single values.
2. It would be good to add a remark about the syntax to the help message. Even finding out that the syntax to retrieve an element is "abc.def.ghi" did take me a moment because it is not intuitive.

CSTC does not work well together with the dark burp theme. For example, sometimes if you drag operations on the operation lane, those operations will be invisible if the dark theme is used. While it is documented that there might be issues with the dark theme (see known issues), i think this problem should be fixed.

The operations test feature seems to be broken:

Steps to reproduce:

1. Paste a request or response into the "Input" field in the upper right corner of the CSTC window
2. Add an operation to the lane, eg. a static string operation

Expected behavior:
The "Output" field in the lower right part of the CSTC window should show the result of the operations applied to the input.

What happens:
The "Output" field remains empty.

When starting burp from the command line, the following error message is shown when the problem occurs:

java.lang.NullPointerException: Cannot invoke "burp.gqk.a(burp.guo)" because "this.a" is null
        at burp.gad.a(Unknown Source)
        at burp.gau.c(Unknown Source)
        at burp.cam.h(Unknown Source)
        at burp.bt4.l(Unknown Source)
        at burp.i64.getMessage(Unknown Source)
        at burp.bh5.getMessage(Unknown Source)
        at de.usd.cstchef.view.BurpEditorWrapper.getMessage(BurpEditorWrapper.java:46)
        at de.usd.cstchef.view.RecipePanel$8.run(RecipePanel.java:473)
        at java.base/java.util.TimerThread.mainLoop(Timer.java:556)
        at java.base/java.util.TimerThread.run(Timer.java:506)