Merge pull request #22 from usdAG/develop

Merge develop into master

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "java:maven"
+    directory: "/"
+    target_branch: "develop"
+    schedule:
+      interval: "daily"

.github/workflows/develop.yml

@@ -0,0 +1,30 @@
+name: develop maven CI
+
+on:
+  push:
+    branches:
+      - develop
+  pull_request:
+    branches:
+      - develop
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up JDK 1.8
+      uses: actions/setup-java@v1
+      with:
+        java-version: 1.8
+    - name: Cache local Maven repository
+      uses: actions/cache@v2
+      with:
+        path: ~/.m2/repository
+        key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          ${{ runner.os }}-maven-
+    - name: Build with Maven
+      run: mvn -B package --file pom.xml

.github/workflows/master.yml

@@ -0,0 +1,30 @@
+name: master maven CI
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up JDK 1.8
+      uses: actions/setup-java@v1
+      with:
+        java-version: 1.8
+    - name: Cache local Maven repository
+      uses: actions/cache@v2
+      with:
+        path: ~/.m2/repository
+        key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          ${{ runner.os }}-maven-
+    - name: Build with Maven
+      run: mvn -B package --file pom.xml

CHANGELOG.md

@@ -6,6 +6,32 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 
+## [1.2.0] - 2020-06-28
+
+### Added
+
+* Add additional operations:
+  * *HTMLEncode* (Encode HTML special characters)
+  * *HTMLDecode* (Decode HTML special characters)
+  * *RsaEncrypt* (Encrypt data by using a public key)
+  * *RsaDecrypt* (Decrypt data using a private key)
+  * *RsaSignature* (Create an RSA signature)
+  * *NoOperation* (Does nothing :D)
+* Add *conditionals* operation class:
+  * *StringContains* (Skip if input contains a string)
+  * *StringMatch* (Skip if input matches a string)
+  * *RegexMatch* (Skip if input matches the specified regex)
+  * *NumberCompare* (Skip if comparison is true)
+* Add *Maven CI* for the master and development branch
+* Add *dependabot* config to prevent pushes to master
+
+### Changed
+
+* Byte operations now also allow multiple variables in one input field
+* *jackson-core* and *jackson-databind* updated to current version
+* Breakpoint operations now assign variables
+
+
 ## [1.1.1] - 2020-05-20
 
 ### Changed

README.md

@@ -1,10 +1,14 @@
+
 *Copyright 2017-2020 usd AG*
 
 Licensed under the *GNU General Public License, Version 3.0* (the "License"). You may not use this tool except in compliance with the License.
 You may obtain a copy of the License at https://www.gnu.org/licenses/gpl-3.0.html
 
 ![CSTC](media/CSTC_White_Smaller.png)
 
+![](https://github.com/usdAG/cstc/workflows/master%20maven%20CI/badge.svg?branch=master)
+![](https://github.com/usdAG/cstc/workflows/develop%20maven%20CI/badge.svg?branch=develop)
+
 # Cyber Security Transformation Chef
 
 *The Cyber Security Transformation Chef* (*CSTC*) is a *Burp Suite* extension. It is build for security experts to

example/example-server.py

@@ -40,7 +40,7 @@ def do_POST(self):
         self.wfile.write(b"<h1>Processing Input: '" + result + b"'...</h1>")
 
 
-def run(server_class=HTTPServer, handler_class=S, port=8080):
+def run(server_class=HTTPServer, handler_class=S, port=8000):
     logging.basicConfig(level=logging.INFO)
     server_address = ('', port)
     httpd = server_class(server_address, handler_class)

pom.xml

@@ -2,7 +2,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>de.usd.CSTC</groupId>
   <artifactId>CSTC</artifactId>
-  <version>1.1.1</version>
+  <version>1.2.0</version>
   <name>CSTC</name>
   <description>CSTC</description>
   <properties>
@@ -71,13 +71,18 @@
 	<dependency>
 	    <groupId>com.fasterxml.jackson.core</groupId>
 	    <artifactId>jackson-core</artifactId>
-	    <version>2.9.9</version>
+	    <version>2.11.1</version>
 	</dependency>
 	<!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind -->
 	<dependency>
 	    <groupId>com.fasterxml.jackson.core</groupId>
 	    <artifactId>jackson-databind</artifactId>
-	    <version>2.9.10.4</version>
+        <version>2.11.1</version>
 	</dependency>
+    <dependency>
+        <groupId>org.apache.commons</groupId>
+        <artifactId>commons-text</artifactId>
+        <version>1.8</version>
+    </dependency>
   </dependencies>
 </project>

src/de/usd/cstchef/Utils.java

@@ -14,6 +14,8 @@
 import java.util.zip.ZipInputStream;
 
 import burp.BurpUtils;
+import burp.IBurpExtenderCallbacks;
+import burp.IExtensionHelpers;
 import burp.Logger;
 import de.usd.cstchef.operations.Operation;
 import de.usd.cstchef.operations.arithmetic.Addition;
@@ -33,8 +35,14 @@
 import de.usd.cstchef.operations.compression.GUnzip;
 import de.usd.cstchef.operations.compression.Gzip;
 import de.usd.cstchef.operations.compression.Inflate;
+import de.usd.cstchef.operations.conditional.NumberCompare;
+import de.usd.cstchef.operations.conditional.RegexMatch;
+import de.usd.cstchef.operations.conditional.StringContains;
+import de.usd.cstchef.operations.conditional.StringMatch;
 import de.usd.cstchef.operations.dataformat.FromBase64;
 import de.usd.cstchef.operations.dataformat.FromHex;
+import de.usd.cstchef.operations.dataformat.HtmlDecode;
+import de.usd.cstchef.operations.dataformat.HtmlEncode;
 import de.usd.cstchef.operations.dataformat.ToBase64;
 import de.usd.cstchef.operations.dataformat.ToHex;
 import de.usd.cstchef.operations.dataformat.UrlDecode;
@@ -45,6 +53,8 @@
 import de.usd.cstchef.operations.encryption.AesEncryption;
 import de.usd.cstchef.operations.encryption.DesDecryption;
 import de.usd.cstchef.operations.encryption.DesEncryption;
+import de.usd.cstchef.operations.encryption.RsaDecryption;
+import de.usd.cstchef.operations.encryption.RsaEncryption;
 import de.usd.cstchef.operations.extractors.HttpBodyExtractor;
 import de.usd.cstchef.operations.extractors.HttpCookieExtractor;
 import de.usd.cstchef.operations.extractors.HttpGetExtractor;
@@ -84,6 +94,7 @@
 import de.usd.cstchef.operations.setter.HttpXmlSetter;
 import de.usd.cstchef.operations.setter.JsonSetter;
 import de.usd.cstchef.operations.setter.LineSetter;
+import de.usd.cstchef.operations.signature.RsaSignature;
 import de.usd.cstchef.operations.signature.XmlFullSignature;
 import de.usd.cstchef.operations.signature.XmlMultiSignature;
 import de.usd.cstchef.operations.string.Length;
@@ -94,6 +105,7 @@
 import de.usd.cstchef.operations.string.Substring;
 import de.usd.cstchef.operations.string.Suffix;
 import de.usd.cstchef.operations.utils.GetVariable;
+import de.usd.cstchef.operations.utils.NoOperation;
 import de.usd.cstchef.operations.utils.RandomNumber;
 import de.usd.cstchef.operations.utils.SetIfEmpty;
 import de.usd.cstchef.operations.utils.StoreVariable;
@@ -133,18 +145,36 @@ public static String replaceVariables(String text) {
 	public static byte[] replaceVariablesByte(byte[] bytes) {
 		HashMap<String, byte[]> variables = VariableStore.getInstance().getVariables();
 
+        IBurpExtenderCallbacks callbacks = BurpUtils.getInstance().getCallbacks();
+		IExtensionHelpers helpers = callbacks.getHelpers();
+
 		byte[] currentKey;
 		for (Entry<String, byte[]> entry : variables.entrySet()) {
 
+            int offset = 0;
 			currentKey = ("$" + entry.getKey()).getBytes();
-			if( Arrays.equals(currentKey, bytes) ) {
-					bytes = entry.getValue();
-			}
 
+            while( offset >= 0 ) {
+                offset = helpers.indexOf(bytes, currentKey, true, offset, bytes.length);
+                if( offset >= 0 )
+                    bytes = insertAtOffset(bytes, offset, offset + currentKey.length, entry.getValue());
+            }
 		}
 		return bytes;
 	}
 
+    public static byte[] insertAtOffset(byte[] input, int start, int end, byte[] newValue) {
+		byte[] prefix = Arrays.copyOfRange(input, 0, start);
+		byte[] rest = Arrays.copyOfRange(input, end, input.length);
+
+		byte[] output = new byte[prefix.length + newValue.length + rest.length];
+		System.arraycopy(prefix, 0, output, 0, prefix.length);
+		System.arraycopy(newValue, 0, output, prefix.length, newValue.length);
+		System.arraycopy(rest, 0, output, prefix.length + newValue.length, rest.length);
+
+		return output;
+	}
+
 	public static Class<? extends Operation>[] getOperationsBurp() {
 		ZipInputStream zip = null;
 		List<Class<? extends Operation>> operations = new ArrayList<Class<? extends Operation>>();
@@ -191,18 +221,24 @@ public static Class<? extends Operation>[] getOperationsDev() {
             Blake.class, DateTime.class, Deflate.class, DesDecryption.class, DesEncryption.class,
             Divide.class, DivideList.class, DSTU7564.class, FromBase64.class, FromHex.class,
             GetVariable.class, Gost.class, GUnzip.class, Gzip.class, Hmac.class,
-            HttpBodyExtractor.class, HttpCookieExtractor.class, HttpGetExtractor.class, HttpGetSetter.class, HttpHeaderExtractor.class,
-            HttpHeaderSetter.class, HttpJsonExtractor.class, HttpJsonSetter.class, HttpMethodExtractor.class, HttpPostExtractor.class,
-            HttpPostSetter.class, HTTPRequest.class, HttpSetBody.class, HttpSetCookie.class, HttpSetUri.class,
-            HttpUriExtractor.class, HttpXmlExtractor.class, HttpXmlSetter.class, Inflate.class, JsonExtractor.class,
-            JsonSetter.class, Length.class, LineExtractor.class, LineSetter.class, MD2.class, MD4.class, MD5.class,
-            Mean.class, Median.class, Multiply.class, MultiplyList.class, Prefix.class, RandomNumber.class,
-            ReadFile.class, RegexExtractor.class, Replace.class, RIPEMD.class, SetIfEmpty.class, SHA1.class,
-            SHA2.class, SHA3.class, Skein.class, SplitAndSelect.class, StaticString.class, StoreVariable.class,
-            Sub.class, Substring.class, Subtraction.class, Suffix.class, Sum.class,
-            Tiger.class, ToBase64.class, ToHex.class, UnixTimestamp.class, UrlDecode.class,
-            UrlEncode.class, Whirlpool.class, WriteFile.class, XmlFullSignature.class, XmlMultiSignature.class,
-            Xor.class };
+            HttpBodyExtractor.class, HttpCookieExtractor.class, HttpGetExtractor.class,
+            HttpGetSetter.class, HttpHeaderExtractor.class, HttpHeaderSetter.class,
+            HttpJsonExtractor.class, HttpJsonSetter.class, HttpMethodExtractor.class,
+            HttpPostExtractor.class, HttpPostSetter.class, HTTPRequest.class, HttpSetBody.class,
+            HttpSetCookie.class, HttpSetUri.class, HttpUriExtractor.class, HttpXmlExtractor.class,
+            HttpXmlSetter.class, HtmlEncode.class, HtmlDecode.class, Inflate.class,
+            JsonExtractor.class, JsonSetter.class, Length.class, LineExtractor.class,
+            LineSetter.class, MD2.class, MD4.class, MD5.class, Mean.class, Median.class,
+            Multiply.class, MultiplyList.class, NoOperation.class, NumberCompare.class, Prefix.class,
+            RandomNumber.class, ReadFile.class, RegexExtractor.class, Replace.class, RIPEMD.class,
+            RsaDecryption.class, RsaEncryption.class, RsaSignature.class, RegexMatch.class,
+            SetIfEmpty.class, SHA1.class, SHA2.class, SHA3.class, Skein.class, SplitAndSelect.class,
+            StaticString.class, StoreVariable.class, Sub.class, Substring.class, Subtraction.class,
+            Suffix.class, Sum.class, StringContains.class, StringMatch.class, Tiger.class,
+            ToBase64.class, ToHex.class, UnixTimestamp.class, UrlDecode.class, UrlEncode.class,
+            Whirlpool.class, WriteFile.class, XmlFullSignature.class, XmlMultiSignature.class,
+            Xor.class
+		};
 	}
 
 	public static Class<? extends Operation>[] getOperations() {

src/de/usd/cstchef/operations/Operation.java

@@ -70,6 +70,9 @@ public abstract class Operation extends JPanel {
 	private Box contentBox;
 	private Map<String, Component> uiElements;
 
+    private int operationSkip = 0;
+    private int laneSkip = 0;
+
 	public Operation() {
 		super();
 		this.uiElements = new HashMap<>();
@@ -190,7 +193,9 @@ private Object getUiValues(Component comp) {
 		} else if (comp instanceof JSpinner) {
 			result = ((JSpinner) comp).getValue();
 		} else if (comp instanceof JComboBox) {
-			result = ((JComboBox<?>) comp).getSelectedItem().toString();
+			result = ((JComboBox<?>) comp).getSelectedItem();
+			if( result != null )
+				result = result.toString();
 		} else if (comp instanceof JCheckBox) {
 			result = ((JCheckBox) comp).isSelected();
 		} else if (comp instanceof FormatTextField) {
@@ -391,6 +396,26 @@ public void setError(boolean error) {
 		this.error = error;
 	}
 
+    public void setOperationSkip(int count) {
+        if( count < 0 )
+            count = 0;
+        this.operationSkip = count;
+    }
+
+    public int getOperationSkip() {
+        return this.operationSkip;
+    }
+
+    public void setLaneSkip(int count) {
+        if( count < 0 )
+            count = 0;
+        this.laneSkip = count;
+    }
+
+    public int getLaneSkip() {
+        return this.laneSkip;
+    }
+
 	@Retention(RetentionPolicy.RUNTIME)
 	@Target(ElementType.TYPE)
 	public @interface OperationInfos {

src/de/usd/cstchef/operations/OperationCategory.java

@@ -4,6 +4,7 @@ public enum OperationCategory {
 	ARITHMETIC("Arithmetic"),
 	BYTEOPERATION("Byte Operations"),
 	COMPRESSION("Compression"),
+	CONDITIONALS("Conditionals"),
 	DATAFORMAT("Data format"),
 	DATES("Date / Time"),
 	ENCRYPTION("Encryption / Encoding"),

src/de/usd/cstchef/operations/conditional/ConditionalOperation.java

@@ -0,0 +1,52 @@
+package de.usd.cstchef.operations.conditional;
+
+import javax.swing.JTextField;
+
+import de.usd.cstchef.operations.Operation;
+import de.usd.cstchef.view.ui.VariableTextField;
+
+public abstract class ConditionalOperation extends Operation {
+
+	protected VariableTextField expr;
+	private JTextField operationSkipField;
+	private JTextField laneSkipField;
+
+	public void setOperationSkip() {
+
+		try {
+			int operationSkip = Integer.valueOf(operationSkipField.getText());
+			this.setOperationSkip(operationSkip);
+		} catch( Exception e ) {
+			throw new IllegalArgumentException("Input is not a number.");
+		}
+	}
+
+	public void setLaneSkip() {
+
+		try {
+			int laneSkip = Integer.valueOf(laneSkipField.getText());
+			this.setLaneSkip(laneSkip);
+		} catch( Exception e ) {
+			throw new IllegalArgumentException("Input is not a number.");
+		}
+	}
+
+	public void resetSkips() {
+		this.setOperationSkip(0);
+		this.setLaneSkip(0);
+	}
+
+	@Override
+	public void createUI() {
+		this.expr = new VariableTextField();
+		this.addUIElement("Expr", this.expr);
+
+		this.operationSkipField = new JTextField("0");
+		this.addUIElement("Skip Operations", this.operationSkipField);
+
+		this.laneSkipField = new JTextField("0");
+		this.addUIElement("Skip Lanes", this.laneSkipField);
+
+	}
+
+}