When using Burp Suite, you may often come across data that is using some form of encoding. Encoding is generally designed to configure the data so that the computer system can handle it, unfortunately, it generally makes it impossible, or at least difficult to read. In some cases, the data can be decoded back to a human-readable form, but in other cases, the encoded data was already random and won’t produce intelligible results. Burp includes a tool called “Decoder” to help decode data so you can see what it says, or if it doesn’t contain human-readable data.
How to decode data
To add data to Decoder you can either type it manually, paste it from the clipboard, or you can right-click on it in the Target, Proxy, Intruder, or Repeater tabs and click “Send to Decoder”. You can do this with entire requests; however, it will generally be more helpful to limit it to just the data you want to be decoded by highlighting it before you right-click.
Once you’ve got data in Decoder, you can decode it by clicking the “Decode as” button on the right and selecting the encoding scheme you think it is using. All of the options will work for any input, but they might not produce printable characters, which generally means that it wasn’t using that encoding or that the data was just randomly generated.
The encodings you can choose between are Plain, URL, HTML, Base64, ASCII hex, Hex, Octal, Binary, and Gzip. Select one of these from the dropdown box and Burp will display the output in a new box below. The new box comes with its own set of identical controls, so if you find that the output is still encoded you can decode it again, even if the decoding type is different. For example, if you decode a Base64 string and find another Base64 string, you can decode that too.
Tip: You can chain together many levels of decoding; you’re not limited to just one or two stages.
How to encode data
You can also use Decoder to encode data in all of the available encoding methods by clicking “Encode as” and selecting an encoding method. This is useful if you need to decode a string, modify it, then need to re-encode it to insert the change into a web request.
Tip: The encoding isn’t particularly smart; for example, alphanumeric characters don’t need to be encoded in URLs as they are valid characters, but the URL encoder will encode every character.
You can also generate a hash of a string by clicking on “Hash” and then selecting an algorithm. Burp does not offer a way to reverse a hash as this is not possible because hashes are one-way functions.
Tip: Any combination of decoding, encoding, and hashing is possible with Decoder, although some orders of operation will not make logical sense.
You can decode, encode, or hash a portion of a string in Decoder by highlighting it before selecting how it should be handled. This is useful if you have two variables encoded with different methods.
Note: Decoder doesn’t support sub-tabs, so you can only manage one input at a time. Be careful to copy the result of a process before sending more data to Decoder unless you’re ok with losing it.