Merge pull request #14 from usdAG/develop

Merge develop into master

CHANGELOG.md

@@ -0,0 +1,51 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.0.0] - 2020-04-22
+
+### Added
+
+* Support operating on raw byte data.
+* Enable context menu inside the CSTC pane.
+* Add additional operations:
+  * *Divide* (Divide input by the given number).
+  * *Multiply* (Multiply input with the given number).
+  * *HttpCookieExtractor* (Extract cookies from *HTTP* requests).
+  * *HeaderSetter* (Set *HTTP* headers).
+  * *HttpSetBody* (Set *HTTP* body).
+  * *HttpSetCookie* (Set *HTTP* cookie).
+  * *HttpJsonSetter* (Set a JSON field in a HTTP request).
+  * *JsonSetter* (Set a value inside of a JSON string).
+  * *PostSetter* (Set a POST parameter).
+  * *XmlSetter* (Set a XML field in a HTTP request ).
+  * *HttpXmlExtractor* (Get a XML value from a HTTP request).
+  * *HttpJsonExtractor* (Get a JSON value from a HTTP request).
+* Add workflow demonstration in form of a GIF to README.md
+* Add a changelog :)
+
+### Changed
+
+* Fix typos in several modules.
+* Ignore the *IV* parameter when using encryption modules in *ECB* mode.
+* Support *raw* encoding for *FormattedTextFields*.
+* Make all operations work on raw bytes.
+* Implement the so far unimplemented input and output modes for encryption modules.
+* Correct syntax highlighting inside the CSTC pane.
+* Fix bugs in several different modules.
+* Update version of *jackson-databind*.
+* Adjust image icons displayed inside the nodetree.
+
+### Removed
+
+* Remove *FlowControl* and *Language* operation categories, as they are currently unused.
+* Remove *ReplaceBody* (was substituted by *HttpSetBody*).
+
+## [0.1.1] - 2019-08-20
+
+### Added
+
+* Initial release.

README.md

@@ -1,78 +1,87 @@
-Copyright 2017-2019 usd AG
+*Copyright 2017-2020 usd AG*
 
-Licensed under the GNU General Public License, Version 3.0 (the "License"); you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+Licensed under the *GNU General Public License, Version 3.0* (the "License"). You may not use this tool except in compliance with the License.
+You may obtain a copy of the License at https://www.gnu.org/licenses/gpl-3.0.html
 
-https://www.gnu.org/licenses/gpl-3.0.html
+![CSTC](media/CSTC_White_Smaller.png)
 
-![CSTC](logos/CSTC_White_Smaller.png)
+# Cyber Security Transformation Chef
 
+*The Cyber Security Transformation Chef* (*CSTC*) is a *Burp Suite* extension. It is build for security experts to
+extend *Burp Suite* for chaining simple operations on each incoming or outgoing *HTTP* message.
+It can also be used to quickly apply custom formatting on each message.
 
-# Cyber Security Transformation Chef
-The Cyber Security Transformation Chef (CSTC) is a Burp Suite extension. It is build for security experts to
-extend Burp Suite for chaining simple operations for each incomming or outgoing message.
-It can also be used to quickly make a special custom formatting for the message.
+![CSTC-Workflow](media/CSTC_Workflow.gif)
 
 ## Introduction
-[Burp Suite](https://portswigger.net/) is a general known tool which provides
-a wide area of tools and functionality for conducting a web application penetration
-test. One problem often encountered when using the Burp Suite for certain type of
-web applications is the lack of a quick extensibility or the capability
-of conducting basic operations on the messages.
 
-The Burp Suite provides some functionality which can be used to adapt to certain scenarios
-(i.e. the macro feature), however it is a time consuming process and error-prone.
+[Burp Suite](https://portswigger.net/) is a general known software which provides
+a wide area of tools and functionality for conducting web application penetration
+tests. One problem often encountered when using *Burp Suite* for certain types of
+web applications is the lack of quick extensibility or the capability
+of conducting basic operations on incoming or outgoing messages.
+*Burp Suite* provides some functionality which can be used to adapt to certain scenarios
+(i.e. the *macro feature*), however it is a time consuming process, difficult to learn and error-prone.
 
 With the years we developed a software which provides a GUI which is adapted from the well known
-[CyberChef](https://gchq.github.io/CyberChef/) providing several small operations which can be chained
-to conduct complicated input transformations. There is no need of further coding. The extension eliminates
+[CyberChef](https://gchq.github.io/CyberChef/), providing several small operations which can be chained
+to conduct a complicated input transformation. The extension eliminates
 the need of having several plugins for input and output transformations because it is build in a more generic way.
 
-The CSTC is especially useful for using the quite good capabilities of Burp Suite Professional (Burp Scanner, Backslash Powered Scanner, ...)
-on web applications using client side calculated MACs, sequence numbers, or similiar.
+*CSTC* is especially useful for using already existing capabilities of *Burp Suite Professional* (*Burp Scanner*, *Backslash Powered Scanner*, ...)
+on web applications using client side calculated *MACs*, sequence numbers, or similar protections for request validation.
+However, *CSTC* does also perfectly interoperate with other *Burp Suite* features that are available in the *Community Edition* (*Repeater*, *Intruder*, ...).
+
+It is also a great help for analyzing obfuscated *HTTP* based protocols because it can be used to de- and reobfuscate network traffic
+passing through the proxy. In this way, the analyst can concentrate on the task of finding vulnerabilities
+instead of writing a new extension for removing the obfuscation.
 
-It is also a great help at analyzing obfuscated HTTP based protocols because it can be used to de- and reobfuscate the traffic
-passing through the proxy. In this way, the analyst can concentrate on task of finding vulnerabilities
-instead of writing new extensions for removing the obfuscation.
+The plugin has been successfully tested and decreased the time for performing tedious input and output transformations on *HTTP* messages.
 
-The plugin has been succesfully tested and decreased the time for performing the right tasks and not
-"fighting with tool" to get what is needed to test.
+## Prerequisites
 
-## Prerequities
-The CSTC can be used with either Burp Suite Free and Burp Suite Profesionnal.
+*CSTC* can be used with either *Burp Suite Community Edition* or *Burp Suite Professional*.
 
 ## Installation
 
-The CSTC is currently not listed in the Burp Extension Storage, but will be added there as soon as PortSwigger acknolwedges the Extension.
+*CSTC* is currently not listed in the *Burp Extension Storage* (*BApp Store*), but will be added there as soon as *PortSwigger* acknowledges the extension.
 
 We suggest to pull the source code and build it yourself, because you should never trust binaries
 and should always review the code which is used in a productive setting.
 
-However, you can also pull a release from GitHub and install it by adding it the Burp Suite.
+However, you can also pull a release from *GitHub* and install it by adding it to *Burp Suite*.
 
 ### Build Process
 
-The build process is fairly easy. It currently requires a installed JDK and Maven to build.
-
-You can build the extension with the following commands
+The build process is fairly easy. It currently requires a installed *JDK* and *Maven* to build.
+You can build the extension with the following commands:
 
 ```
-git clone https://github.com/usdAG/cstc.git
-cd cstc
-mvn package
+$ git clone https://github.com/usdAG/cstc.git
+$ cd cstc
+$ mvn package
 ```
 
-Maven will automatically load the dependencies for building the extension and will build
-a jar containing all dependencies. The created Jar file CSTC-X.X.X-jar-with-dependencies in the target directory can be 
-installed in Burp using the Extender->Add function.
+*Maven* will automatically load the dependencies for building the extension and will build
+a *Jar* containing all these dependencies. The created Jar file ``CSTC-X.X.X-jar-with-dependencies`` in the ``target`` directory can be 
+installed in *Burp Suite* using the ``Extender->Add->Extensiontype-java`` feature.
 
 ## Usage
-The tool uses a GUI which basic idea similar to the CyberChef. However, it introduces
-a concept which we call "lane". The output of the transformation is always determined
-from the the last lane which has an active operation. Take a look at a basic tutorial
-[here](https://www.youtube.com/watch?v=BUXvWfb_YWU).
+
+The tool uses a GUI which basic idea is similar to the [CyberChef](https://gchq.github.io/CyberChef/). However, it introduces
+a new concept which we call *lanes*. The output of a *CSTC* transformation is always determined
+from the the last *lane* which has an active operation. This initially takes getting used to, but quickly feels intuitive.
+Take a look at our basic tutorial on [YouTube](https://www.youtube.com/watch?v=BUXvWfb_YWU) and make sure to read our initial
+*CSTC* [blog post](https://herolab.usd.de/news-cyber-security-transformation-chef/).
+
+
+## Known Issues
+
+Unfortunately, the GUI of some *CSTC Operations* does not really work well together with the **dark theme** of *Burp Suite*. Therefore,
+we recommend to use a **light theme** for the best user experience.
 
 ## Feedback
-We gladly appreciate all feedback, bug requests and feature requests.
+
+We gladly appreciate all feedback, bug reports and feature requests.
 Please understand that this tool is under active development and therefore will
-probably contain some bugs.
+probably contain some bugs :)

example/example-server.py

@@ -0,0 +1,60 @@
+#!/usr/bin/python3
+
+import logging
+import gzip
+import base64
+from sys import argv
+from http.server import BaseHTTPRequestHandler, HTTPServer
+
+class S(BaseHTTPRequestHandler):
+
+    def _set_response(self):
+        self.send_response(200)
+        self.send_header('Content-type', 'text/html')
+        self.end_headers()
+
+    def do_GET(self):
+        logging.info("GET request,\nPath: %s\nHeaders:\n%s\n", str(self.path), str(self.headers))
+        self._set_response()
+        self.wfile.write("GET request for {}".format(self.path).encode('utf-8'))
+
+    def do_POST(self):
+        content_length = int(self.headers['Content-Length'])
+        post_data = self.rfile.read(content_length)
+
+        try:
+            result = base64.b64decode(post_data)
+        except:
+            self._set_response()
+            self.wfile.write(b"Error 1021: Server expects Base64 encoded and gzip compressed data.")
+            return
+
+        try: 
+            result = gzip.decompress(result)
+        except:
+            self._set_response()
+            self.wfile.write(b"Error 1022: Server expects Base64 encoded and gzip compressed data.")
+            return
+
+        self._set_response()
+        self.wfile.write(b"<h1>Processing Input: '" + result + b"'...</h1>")
+
+
+def run(server_class=HTTPServer, handler_class=S, port=8080):
+    logging.basicConfig(level=logging.INFO)
+    server_address = ('', port)
+    httpd = server_class(server_address, handler_class)
+    logging.info('Starting CSTC Example Server.\n')
+    try:
+        httpd.serve_forever()
+    except KeyboardInterrupt:
+        pass
+    httpd.server_close()
+    logging.info('Stopping CSTC Example Server...\n')
+
+
+if __name__ == '__main__':
+    if len(argv) == 2:
+        run(port=int(argv[1]))
+    else:
+        run()

pom.xml

@@ -2,7 +2,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>de.usd.CSTC</groupId>
   <artifactId>CSTC</artifactId>
-  <version>0.1.1</version>
+  <version>1.0.0</version>
   <name>CSTC</name>
   <description>CSTC</description>
   <build>
@@ -74,7 +74,7 @@
 	<dependency>
 	    <groupId>com.fasterxml.jackson.core</groupId>
 	    <artifactId>jackson-databind</artifactId>
-	    <version>2.9.9.2</version>
+	    <version>2.9.10.3</version>
 	</dependency>
   </dependencies>
 </project>

src/burp/BurpExtender.java

@@ -1,16 +1,12 @@
 package burp;
 
 import java.awt.Component;
-import java.awt.Container;
 import java.awt.event.ActionEvent;
 import java.awt.event.ActionListener;
 import java.util.ArrayList;
 import java.util.List;
+
 import javax.swing.JMenuItem;
-import javax.swing.JTextArea;
-import javax.swing.JTextField;
-import javax.swing.plaf.basic.BasicTabbedPaneUI;
-import javax.swing.text.JTextComponent;
 
 import de.usd.cstchef.view.FormatTab;
 import de.usd.cstchef.view.RecipePanel;
@@ -79,7 +75,7 @@ public List<JMenuItem> createMenuItems(IContextMenuInvocation invoc) {
 			public void actionPerformed(ActionEvent e) {
 				IHttpRequestResponse[] msgs = invoc.getSelectedMessages();
 				if (msgs != null && msgs.length > 0) {
-					view.getIncomingRecipePanel().setInput(new String(msgs[0].getResponse()));
+					view.getIncomingRecipePanel().setInput(msgs[0]);
 				}
 			}
 		});
@@ -89,7 +85,7 @@ public void actionPerformed(ActionEvent e) {
 			public void actionPerformed(ActionEvent e) {
 				IHttpRequestResponse[] msgs = invoc.getSelectedMessages();
 				if (msgs != null && msgs.length > 0) {
-					view.getOutgoingRecipePanel().setInput(new String(msgs[0].getRequest()));
+					view.getOutgoingRecipePanel().setInput(msgs[0]);
 				}
 
 			}
@@ -100,7 +96,7 @@ public void actionPerformed(ActionEvent e) {
 			public void actionPerformed(ActionEvent e) {
 				IHttpRequestResponse[] msgs = invoc.getSelectedMessages();
 				if (msgs != null && msgs.length > 0) {
-					view.getFormatRecipePanel().setInput(new String(msgs[0].getRequest()));
+					view.getFormatRecipePanel().setInput(msgs[0]);
 				}
 			}
 		});
@@ -115,4 +111,4 @@ public IMessageEditorTab createNewInstance(IMessageEditorController controller,
 		RecipePanel responseFormatPanel = this.view.getFormatRecipePanel();
 		return new FormatTab(requestFormatPanel, responseFormatPanel, editable);
 	}
-}
+}

src/burp/CstcMessageEditorController.java

@@ -0,0 +1,37 @@
+package burp;
+
+public class CstcMessageEditorController implements IMessageEditorController {
+
+	private IHttpService httpService = null;
+	private byte[] request = null;
+	private byte[] response = null;
+
+	public void setHttpRequestResponse(IHttpRequestResponse requestResponse) {
+		this.httpService = requestResponse.getHttpService();
+		this.request = requestResponse.getRequest();
+		this.response = requestResponse.getResponse();
+	}
+
+	public void setRequest(byte[] request) {
+		this.request = request;
+	}
+
+	public void setResponse(byte[] response) {
+		this.request = response;
+	}
+
+	@Override
+	public IHttpService getHttpService() {
+		return httpService;
+	}
+
+	@Override
+	public byte[] getRequest() {
+		return request;
+	}
+
+	@Override
+	public byte[] getResponse() {
+		return response;
+	}
+}