CSTC Not Changing/Modifying Another Extensions Requests - but tab shows it is about cstc HOT 9 CLOSED

That was definitely the problem, i screwed up and didn't do the git checkout develop part

from cstc.

I thought i should also mention now that I thought I had it working, CSTC tab is showing modification to binary content in the file uploads which invalidates all of my payloads.

from cstc.

Hi 👋

First of all, thanks for reporting :)

The Issue

I initially thought it needed an "Extender" checkbox.

I guess this is the point. CSTC currently does not modify traffic that is created from the extender tool.

	public RequestFilterDialog() {
		this.filterSettings = new LinkedHashMap<>();
		this.filterSettings.put(new Filter("Proxy", IBurpExtenderCallbacks.TOOL_PROXY), false);
		this.filterSettings.put(new Filter("Repeater", IBurpExtenderCallbacks.TOOL_REPEATER), false);
		this.filterSettings.put(new Filter("Spider", IBurpExtenderCallbacks.TOOL_SPIDER), false);
		this.filterSettings.put(new Filter("Scanner", IBurpExtenderCallbacks.TOOL_SCANNER), false);
		this.filterSettings.put(new Filter("Intruder", IBurpExtenderCallbacks.TOOL_INTRUDER), false);

The fix should be simple. Just adding a new Filter with name Extender and the IBurpExtenderCallbacks.TOOL_EXTENDER flag should do the trick. This will be implemented soon.

Trivia:

Concerning TokenJar, it is actually funny that it works with this extension, as this was probably not intended by the author. If you look at the code that modifies the HTTP messages you can find the following:

    public void processHttpMessage(int toolFlag, boolean isRequest, IHttpRequestResponse message){
        //EXIT, it was already proccessed by PROXY
        if (toolFlag == IBurpExtenderCallbacks.TOOL_PROXY)
           return;
        
        //EXIT if Master Enable button is disabled
        if (dataModel.getMasterEnable()==false)
            return;
        if (dataModel.getMasterIntruder()==false && toolFlag == IBurpExtenderCallbacks.TOOL_INTRUDER)
            return;
        if (dataModel.getMasterRepeater()==false && toolFlag == IBurpExtenderCallbacks.TOOL_REPEATER)
            return;
       
    	if (isRequest){
    		processRequestMessage(message);
    	} else {
    		processResponseMessage(message);    		
        }

As you can see, the code only covers the cases PROXY, INTRUDER and REPEATER. However, the default action is to modify traffic and therefore it also works for extender. I guess this is unintended, as the extension does not allow you to disable it for extender requests.

The other Issue

The other issue you reported with the binary content occurs probably because your Project settings are wrong. Wrong in this context means, that you have configured UTF-8 as the default encoding. With this setting, when you have some non-UTF8 input inside an editor and modify something, Burp tries to interpret the non-UTF8 stuff as UTF8 and replaces all non-UTF8 characters with the corresponding invalid-unicode-code-point. Try setting your encoding to raw inside the project options (maybe it is even in user options, not sure 🤔 ) and it hopefully works fine. Otherwise, please open another issue (really another one :D Different bugs should be reported in different issues ;)).

from cstc.

Hi just wondering if you were doing a release anytime soon? I am actually working on an engagement right now where i could really use this. Thanks! (i'm referring to the application of transformations to extender requests)

from cstc.

Just used the dev build and followed your instructions and I don't see the Extensions as an option in the filter. I kicked off a scan that uses Active++ Extension and also saw in the logger that CSTC isn't making changes whereas in other areas selected it is. So i can confirm it is not apply changes to Extensions currently in dev.

from cstc.

Hi just wondering if you were doing a release anytime soon?

Not too soon, but we will prepare a new release for this year. Currently some other projects have priority, but I guess in October we can release a new version.

Just used the dev build and followed your instructions and I don't see the Extensions as an option in the filter.

I cannot reproduce this. Make sure to remove the CSTC version installed via BApp Store and to import the correct manually build jar file (CSTC-1.2.1-jar-with-dependencies.jar). Here is the view from my machine:

Launching a scan with ActiveScan++ enabled shows the header being added for both, ordinary scanner requests as well as extender requests:

Please let me know whether this works for you. If this is a bug, we need to determine it's root cause before we can prepare a new release :)

from cstc.

Just reproducted again, I removed the CSTC extension. I ran the three commands from your instructions, and the BUILD says successful, then I open Burp add the extension manually using the jar file. I don't see any errors anywhere. I have attached the maven build log at the bottom in a text file and provided screenshots.

I am on BurpSuite Professional v2021.6.2 on Kali linux - Linux 5.10.0-kali9-amd64 1 SMP Debian 5.10.46-1kali1 (2021-06-25) x86_64 GNU/Linux

java --version
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
openjdk 11.0.11 2021-04-20
OpenJDK Runtime Environment (build 11.0.11+9-post-Debian-1)
OpenJDK 64-Bit Server VM (build 11.0.11+9-post-Debian-1, mixed mode, sharing)

Please let me know if there is anything else you need.

cstc-build-log.txt

from cstc.

I ran the three commands from your instructions

If you mean the three instructions from the README.md file, you build CSTC from the wrong branch to test the new feature. The feature was added to the development branch. The main branch is only used for releases and should always match the version that is present in BApp store. To get a CSTC version with the feature implemented you should use the following commands:

$ git clone https://github.com/usdAG/cstc.git
$ cd cstc
$ git checkout develop
$ mvn package

from cstc.

Hi, sorry for the long silence 👋
This feature was implemented in version 1.3.0 which is available in the releases section. A release to the BAppStore is pending but the new version 1.3.0 should be available there soon.

from cstc.