Saturday from 12:00 – 13:50 in Sunset 1 at Planet Hollywood
Audience: Offense, Defense, AppSec, Mobile. Ralf Almon & Sebastian Puttkammer

CSTC is a Burp Suite extension for various input transformations. It implements a generic solution that can replace numerous specialized extensions. The CSTC solves the problem of having too specific burp plugins by being a more generic problem solving tool. It contains a wide range of very simple operations that can be chained into complex transformations. This allows a penetration tester to create the exact transformation they need to test a specific product without having to write any code. As we all know, writing code and setting everything up is time consuming. You can configure complex input transformations for both requests and responses simply by using drag and drop. You can calculate HMACs for parts of the request, refresh timestamps, update sequence numbers or encrypt parts of the request. You can chain together different operations to create more complex transformations. You could extract parts of the request, decompress them, insert your payload using the repeater or utilizing the scanner and put it back in and compress it again before sending it. Since there are already many basic operations implemented, you can easily focus on testing the application instead of searching for extensions performing such transformations.

https://github.com/usdag/cstc

Ralf Almon
Ralf Almon is a Security Analyst with years of experience in penetration testing. He works at usd AG in Germany and holds a master’s degree in Information Security from TU Darmstadt. He gained a lot of industry knowledge working as a consultant in various industries ranging from aerospace and aviation to the finance sector.

Sebastian Puttkammer
Sebastian Puttkammer is a Security Analyst working for usd AG in Germany. His main interests are network/web app security and reverse engineering. He holds a master’s degree in computer science from TU Darmstadt. He is currently in charge of the Code Review Team at usd AG and performs black-box and white-box pentests.