Getting to know Hackvertor
What is Hackvertor, exactly?
Hackvertor is an extension for Burp Suite that allows you to tag HTTP traffic you want to encode. You can then convert tagged traffic into an encoded form — or ask Hackvertor to convert it for you when sending a request. That means you can review and edit tagged HTTP traffic without needing to decode it first.
Use this guide to get started with Hackvertor, so you can begin hacking and ‘verting in a way that saves you both time and clicks. Check out Information to get you started below to kick off your Hackvertor journey.
Hackvertor is available for Burp Suite and Burp Suite Community Edition.
Not a Burp Suite customer? You can use Burp Suite Community Edition for free, which you can .
Information to get you started
Whether you’re a tag-inserting pro or an entry-level encoder, there’s advice for wherever you are in your Hackvertor journey:
Want to know what Hackvertor can do before jumping in? Read the rest of this page. Installed Burp Suite and want to give Hackvertor a try? Check out . Like step-by-step guides and references? Check out . Prefer show, not tell — or hands on? See Hackvertor in action with . Need something not covered elsewhere? Try .
What you can do with Hackvertor
There’s more than one way to use Hackvertor. Want to add tags to traffic then encode in a dedicated Hackvertor tab for later reference? You can do that. Want to run custom code? Go for it.
From custom code execution to encoding on send, here’s some of the things you can do with Hackvertor:
Encode and encrypt — and decode and decrypt — HTTP traffic in a number of Burp Suite areas, including Repeater, Intruder and Proxy. Transfer HTTP traffic into dedicated Hackvertor tabs, where you can tag, convert and store traffic for later review and re-use. Tag HTTP traffic for transformation, such as extracting the length of a string or turning all characters in a string to uppercase.
Where you can use Hackvertor in Burp Suite
Hackvertor interacts with Burp Suite in the following ways:
Proxy (Intercept tab): Insert tags into intercepted traffic. Tagged HTTP traffic is automatically converted when forwarded. Intruder: Use Hackvertor to tag and convert payloads when launching an attack. Repeater: Tag HTTP traffic for conversion on send.
Preview conversion in Hackvertor subtab: In the Request box, click the Hackvertor subtab to see converted HTTP traffic in the Output box.
Encode HTTP traffic in a Burp Suite tab 🎦 (quickly tag traffic and convert on send)
In Proxy and Repeater, you can tag HTTP traffic to be converted when sending a request or launching an attack. For example, you might want to quickly tag traffic you happen to be working on.
In the Intercept tab or the Repeater tab:
Drag-select to highlight the traffic you want to tag for conversion. Right-click and hover over Extensions. Then hover over Hackvertor. Hover over the list of tag categories, then click the tag you want to apply — such as urlencode. With your HTTP traffic tagged for conversion, you can now: Send traffic: Send or forward your tagged HTTP traffic, as Hackvertor will convert it for you. Convert HTTP traffic in the editor window before sending: Right-click > Extensions > Hackvertor > Convert tags. Preview conversion in Hackvertor subtab: In the Request box, click the Hackvertor subtab to see converted HTTP traffic in the Output box. Transfer traffic to a Hackvertor tab for tagging, conversion and storage: Drag-select the traffic you want to transfer > right-click > Extensions > Hackvertor > Send to Hackvertor.
Encode HTTP traffic in a Hackvertor subtab 🎦 (easily change and preview conversion)
Some tabs — such as the Repeater tab and Intercept tab — include a Hackvertor subtab, which allows you to convert and review HTTP traffic before using it.
To use a Hackvertor subtab:
In a Burp Suite tab, such as the Repeater tab, click the Hackvertor subtab. This will automatically convert any tags already inserted into your HTTP traffic. To insert additional tags: Above the Hackvertor tab, click the category of tag you want to apply — such as Encode. Then click the tag you want to insert, such as urlencode. Any additional tagged HTTP traffic will be automatically converted. With converted HTTP traffic displayed in the Output box, you can now: Transfer HTTP traffic back to the Raw tab: Click Swap > then click the Raw tab. Once transferred to the Raw tab, transfer encoded HTTP traffic to a Hackvertor tab:
In the Raw tab, drag-select the traffic you want to transfer > right-click > Extensions > Hackvertor > Send to Hackvertor.
Encode HTTP traffic in a Hackvertor tab 🎦 (preview conversion and store for reuse)
You can use the Hackvertor section of Burp Suite to tag and convert traffic in multiple tabs — you might want to compare and contrast requests and responses across multiple tabs, for example.
To transfer traffic from a Burp Suite tab to a Hackvertor tab: Drag-select the HTTP traffic you want to transfer > right-click > Extensions > Hackvertor > Send to Hackvertor. If you want to clear decode tags, click Clear tags. In the Hackvertor tab, drag-select the HTTP traffic you want to tag. Above the tab, click the category of tag you want to apply — such as Encode. Click the tag you want to insert — such as urlencode. With HTTP traffic automatically encoded in the Output box, you can now: Copy and paste the converted traffic to other tabs in Burp Suite. Click the ... icon at the top of the tab to open a new Hackvertor tab, where you can tag and encode another set of traffic.
Encode payloads in the Intruder tab 🎦
You can use Hackvertor in the Intruder tab to encode the contents of a payload. Anything defined as a payload position — HTTP traffic sat between § — will be converted when the attack is launched.
To do this, we’ll invoke Hackvertor in the Intruder tab to process the payload:
In the Intruder tab, set up any positions. Click the Payloads tab. Then set up your payload sets and settings. Under Payload processing, click Add. From the drop down list, select Invoke Burp extension. In the Select process drop down list, select the tags you want to apply to the respective payloads — such as Hackvertor_Uppercase. Anything defined as a payload position, content between two § — such as §Gift§ — will be converted by Hackvertor when the attack is launched. To see the encoded HTTP traffic: In the Intruder attack window, click a request. In the Raw tab below, you will see the converted request. In this case, Carlos is presented in upper case.