Comments (9)
That was definitely the problem, i screwed up and didn't do the git checkout develop part
from cstc.
I thought i should also mention now that I thought I had it working, CSTC tab is showing modification to binary content in the file uploads which invalidates all of my payloads.
from cstc.
Hi 👋
First of all, thanks for reporting :)
The Issue
I initially thought it needed an "Extender" checkbox.
I guess this is the point. CSTC currently does not modify traffic that is created from the extender tool.
public RequestFilterDialog() {
this.filterSettings = new LinkedHashMap<>();
this.filterSettings.put(new Filter("Proxy", IBurpExtenderCallbacks.TOOL_PROXY), false);
this.filterSettings.put(new Filter("Repeater", IBurpExtenderCallbacks.TOOL_REPEATER), false);
this.filterSettings.put(new Filter("Spider", IBurpExtenderCallbacks.TOOL_SPIDER), false);
this.filterSettings.put(new Filter("Scanner", IBurpExtenderCallbacks.TOOL_SCANNER), false);
this.filterSettings.put(new Filter("Intruder", IBurpExtenderCallbacks.TOOL_INTRUDER), false);
The fix should be simple. Just adding a new Filter with name Extender
and the IBurpExtenderCallbacks.TOOL_EXTENDER
flag should do the trick. This will be implemented soon.
Trivia:
Concerning TokenJar, it is actually funny that it works with this extension, as this was probably not intended by the author. If you look at the code that modifies the HTTP messages you can find the following:
public void processHttpMessage(int toolFlag, boolean isRequest, IHttpRequestResponse message){
//EXIT, it was already proccessed by PROXY
if (toolFlag == IBurpExtenderCallbacks.TOOL_PROXY)
return;
//EXIT if Master Enable button is disabled
if (dataModel.getMasterEnable()==false)
return;
if (dataModel.getMasterIntruder()==false && toolFlag == IBurpExtenderCallbacks.TOOL_INTRUDER)
return;
if (dataModel.getMasterRepeater()==false && toolFlag == IBurpExtenderCallbacks.TOOL_REPEATER)
return;
if (isRequest){
processRequestMessage(message);
} else {
processResponseMessage(message);
}
As you can see, the code only covers the cases PROXY
, INTRUDER
and REPEATER
. However, the default action is to modify traffic and therefore it also works for extender. I guess this is unintended, as the extension does not allow you to disable it for extender requests.
The other Issue
The other issue you reported with the binary content occurs probably because your Project settings are wrong. Wrong in this context means, that you have configured UTF-8
as the default encoding. With this setting, when you have some non-UTF8 input inside an editor and modify something, Burp tries to interpret the non-UTF8 stuff as UTF8 and replaces all non-UTF8 characters with the corresponding invalid-unicode-code-point. Try setting your encoding to raw inside the project options (maybe it is even in user options, not sure 🤔 ) and it hopefully works fine. Otherwise, please open another issue (really another one :D Different bugs should be reported in different issues ;)).
from cstc.
Hi just wondering if you were doing a release anytime soon? I am actually working on an engagement right now where i could really use this. Thanks! (i'm referring to the application of transformations to extender requests)
from cstc.
Just used the dev build and followed your instructions and I don't see the Extensions as an option in the filter. I kicked off a scan that uses Active++ Extension and also saw in the logger that CSTC isn't making changes whereas in other areas selected it is. So i can confirm it is not apply changes to Extensions currently in dev.
from cstc.
Hi just wondering if you were doing a release anytime soon?
Not too soon, but we will prepare a new release for this year. Currently some other projects have priority, but I guess in October we can release a new version.
Just used the dev build and followed your instructions and I don't see the Extensions as an option in the filter.
I cannot reproduce this. Make sure to remove the CSTC version installed via BApp Store and to import the correct manually build jar file (CSTC-1.2.1-jar-with-dependencies.jar
). Here is the view from my machine:
Launching a scan with ActiveScan++ enabled shows the header being added for both, ordinary scanner requests as well as extender requests:
Please let me know whether this works for you. If this is a bug, we need to determine it's root cause before we can prepare a new release :)
from cstc.
Just reproducted again, I removed the CSTC extension. I ran the three commands from your instructions, and the BUILD says successful, then I open Burp add the extension manually using the jar file. I don't see any errors anywhere. I have attached the maven build log at the bottom in a text file and provided screenshots.
I am on BurpSuite Professional v2021.6.2 on Kali linux - Linux 5.10.0-kali9-amd64 1 SMP Debian 5.10.46-1kali1 (2021-06-25) x86_64 GNU/Linux
java --version
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
openjdk 11.0.11 2021-04-20
OpenJDK Runtime Environment (build 11.0.11+9-post-Debian-1)
OpenJDK 64-Bit Server VM (build 11.0.11+9-post-Debian-1, mixed mode, sharing)
Please let me know if there is anything else you need.
from cstc.
I ran the three commands from your instructions
If you mean the three instructions from the README.md
file, you build CSTC from the wrong branch to test the new feature. The feature was added to the development branch. The main branch is only used for releases and should always match the version that is present in BApp store. To get a CSTC version with the feature implemented you should use the following commands:
$ git clone https://github.com/usdAG/cstc.git
$ cd cstc
$ git checkout develop
$ mvn package
from cstc.
Hi, sorry for the long silence 👋
This feature was implemented in version 1.3.0 which is available in the releases section. A release to the BAppStore is pending but the new version 1.3.0 should be available there soon.
from cstc.
Related Issues (20)
- Add missing arithmetic operations for single numbers HOT 1
- Encryption / Encoding - Input / Output options not functional HOT 1
- Misc - Readfile / Writefile HOT 1
- Only show CSTC tranformation tab if filter is activated HOT 1
- Need rsa implementation HOT 6
- From_HTML_Entity function HOT 5
- CSTC recipe save not working HOT 1
- CSTC and Binary content modification HOT 5
- Add setter for multipart/form-data parameters HOT 2
- UI-Enhancement for the filter window HOT 4
- Loading and saving recipies does not work correctly HOT 2
- Apply transformations to extender requests HOT 1
- Operation state not saved/restored when re-opening Burp HOT 2
- Compatibility with the dark burp theme HOT 2
- Lane test feature broken HOT 1
- [Security] XmlFullSignature operation is vulnerable to XML External Entity Injection (XXE) HOT 3
- To uppercase HOT 1
- Add more algorithm support HOT 5
- JSON extractor cannot handle complex JSON structures HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cstc.