login

Burp Suite, the leading toolkit for web application security testing

Burp Decoder Help

Burp Decoder is a simple tool for transforming encoded data into its canonical form, or for transforming raw data into various encoded and hashed forms. It is capable of intelligently recognizing several encoding formats using heuristic techniques.

Loading Raw Data

You can load data into Decoder in two ways:

You can use the "Text" and "Hex" buttons to toggle the type of editor to use on your data.

Transformations

Different transformations can be applied to different parts of the data. The following decode and encode operations are available:

Additionally, various common hash functions are available, dependent upon the capabilities of your Java platform.

When a part of the data has a transformation applied, the following things happen:

The new editor enables you to work recursively, applying multiple layers of transformations to the same data, to unpack or apply complex encoding schemes. Further, can you edit the transformed data in any of the editor panels, not only the top panel. So, for example, you can take a complex data structure, perform URL and HTML decoding on it, edit the decoded data, and then reapply the HTML and URL encoding (in reverse order), to generate modified but validly formatted data to use in an attack. 

Working Manually

To perform manual decoding and encoding, use the drop-down lists to select the required transformation. The chosen transformation will be applied to the selected data, or to the whole data if nothing is selected.

Smart Decoding

On any panel within Decoder, you can click the "Smart Decode" button. Burp will then attempt to intelligently decode the contents of that panel by looking for data that appears to be encoded in recognizable formats such as URL-encoding or HTML-encoding. This action is performed recursively, continuing until no further recognizable data formats are detected. This option can be a useful first step when you have identified some opaque data, and want to take a quick look to see if it can be easily decoded into a more recognizable form. The  decoding that is applied to each part of the data is indicated using the usual colorization.

Because Burp Decoder makes a "best guess" attempt to recognize some common encoding formats, it will sometimes make mistakes. When this occurs, you can easily see all of the stages involved in the decoding, and the transformation that was applied at each position. You can then manually fix any incorrect transformations using the manual controls, and continue the decoding manually or smartly from this point.

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Monday, July 28, 2014

v1.6.03

This release includes a new engine for static analysis of JavaScript code. This enables Burp Scanner to report a range of new vulnerabilities, including DOM-based XSS, JavaScript injection, Client-side SQL injection and several other vulnerability types.

See all release notes ›

Copyright © 2014 PortSwigger Ltd. All rights reserved.