Skip to content
Gallery
NEAR FINAL: Hackvertor for Burp Suite
Getting started with Hackvertor
Questions and observations
Questions and observations
More
Share
Explore
Getting started with Hackvertor

Encoding with Hackvertor

Step-by-step guides to get you tagging and converting
Adam Meadows

Encoding with Hackvertor

Before getting started

Hackvertor can tag and convert traffic in a number of ways — such as URL encoding a SQL statement or text transforming a string to upper case. You might want to tag traffic and have Hackvertor convert tags on send, or convert traffic first to get a preview of what you’re about to use.
info
Want to know what Hackvertor can do before you jump in? Check out
Getting started with Hackvertor
.
Encoding is done in the following steps:
Place tags around HTTP traffic you want to encode or transform.
Convert the traffic you want to encode to apply those tags.
Want a quick visual guide? 🎦 next to a title means there’s a GIF at that end of that section — just in case you want a brief visual walkthrough.

Ways to encode HTTP traffic

As Hackvertor can be used throughout Burp Suite, how you tag traffic for sending depends on which area of Burp Suite you’re in. For example, tagging traffic in Repeater differs to tagging traffic in Hackvertor tabs.
You might not tag and convert the same way every time you want to encode or transform traffic. Or you might want to encode in one tab and convert elsewhere later, for example.
Here’s how and why you might
info
You can’t insert tags into traffic in the Intruder tab. Instead, you can invoke Hackvertor to tag payloads. Refer to Encode payloads in the Intruder tab below for more information.
Click a method that suits you for more information:

Encode HTTP traffic in a Burp Suite tab 🎦

Recommended for if you want to quickly tag data , and don’t need to worry about previewing first.
Recommended for if you want to HTTP traffic conversion before use.
Recommended for if
Previe

Preview encoded traffic:

You can preview encoded traffic in the following ways:
If you’re in a the x tabs, you can click the Hackvertor tab — this will
In a Hackvertor subtab, contents are

Learn more

In Proxy and Repeater, you can tag traffic to be converted when sending a request or launching an attack. For example, you might want to quickly tag traffic you happen to be working on.
In the Intercept tab or the Repeater tab:
Drag-select to highlight the traffic you want to tag for conversion.
Right-click and hover over Extensions. Then hover over Hackvertor.
Hover over the list of tag categories, then click the tag you want to apply — such as urlencode.
With your traffic tagged for conversion, you can now:
Send traffic: Send or forward your tagged traffic, as Hackvertor will convert it and encode it for you.
Convert traffic in the editor window before sending: Right-click > Extensions > Hackvertor > Convert tags.
Transfer traffic to a Hackvertor tab for tagging, conversion and storage: Drag-select the traffic you want to transfer > right-click > Extensions > Hackvertor > Send to Hackvertor.


Encode HTTP traffic in a Hackvertor subtab 🎦

A number of tabs, such as the Repeater tab and Intercept tab, include a Hackvertor subtab which allows you to convert and review HTTP traffic before using it.
Once you’ve converted HTTP traffic, you can move it to Burp Suite tabs — as explained below:
In a Burp Suite tab, such as the Repeater tab, click the Hackvertor subtab. This will automatically convert any tags already inserted.
To insert additional tags: Above the Hackvertor tab, click the category of tag you want to apply — such as Encode. Then click the tag you want to insert, such as urlencode.
Tagged HTTP traffic will be automatically converted.
With HTTP traffic in the Output box, you can now:
Transfer HTTP traffic back into the Burp Suite tab: Click Swap > then click the Raw tab.
Once transferred to the Raw tab, transfer encoded HTTP traffic to a Hackvertor tab: In the Raw tab, drag-select the traffic you want to transfer > right-click > Extensions > Hackvertor > Send to Hackvertor.

Encode HTTP traffic in a Hackvertor tab 🎦

You can use the Hackvertor section of Burp Suite to tag and convert traffic in multiple tabs. You might want to compare and contrast requests and responses across multiple tabs, for example.
To transfer traffic from a Burp Suite tab to a Hackvertor tab: Drag-select the traffic you want to transfer > right-click > Extensions > Hackvertor > Send to Hackvertor. If you want to clear decode tags, click Clear tags.
In the Hackvertor tab, drag-select the HTTP traffic you want to tag.
Above the tab, click the category of tag you want to apply — such as Encode.
Click the tag you want to insert — such as urlencode.
With your traffic automatically encoded in the Output box, you can now:
Copy and paste the converted traffic to other tabs in Burp Suite.
Click the ... icon at the top of the tab to open a new Hackvertor tab, where you can tag and encode another set of traffic.

Encode payloads in the Intruder tab 🎦

You can use Hackvertor in the Intruder tab to encode the contents of a payload. Anything defined as a payload position — which is traffic marked between § — will be converted when the attack is launched.
To do this, we’ll invoke Hackvertor in the Intruder tab to process the payload:
In the Intruder tab, set up any positions.
Click the Payloads tab. Then set up your payload sets and settings.
Under Payload processing, click Add.
From the drop down list, select Invoke Burp extension.
In the Select process drop down list, select the tags you want to apply to the respective payloads — such as Hackvertor_Uppercase.
Then click OK.
Anything defined as a payload position, content between two § — such as §Gift§ — will be converted by Hackvertor when the attack is launched.
To see the encoded HTTP traffic: In the Intruder attack window, click a request. In the Raw tab below, you will see the converted request. In this case, Carlos is presented in uppercase.

Optional: You’ve encoded your HTTP traffic — what next?

You’ve tagged and converted your traffic — it worked! Now you might want to consider extras such as:

You can transfer traffic from Burp Suite tab to a Hackvertor tab for safekeeping

You can transfer HTTP traffic from the Request and Response boxes to a Hackvertor tab. You might want to store a successful GET request, or perform additional encoding on that request.
To transfer traffic to a Hackvertor tab:
In a Request or Response box, drag-select the traffic you want to transfer.
Right-click and hover over Extensions. Then hover over Hackvertor.
Click Send to Hackvertor.
A Hackvertor tab will open, where you can tag and convert HTTP traffic.

You can review encoded HTTP traffic using the Inspector 🎦

After sending encoded traffic, you might want to see both the decoded input and the encoded output.
If you’ve sent or forwarded HTTP traffic using the Repeater tab or the Intercept tab, you can use the Inspector panel to inspect its encoded contents in more detail.

You can decode your encoded HTTP traffic

You can use the <@auto_decode> tag to decode HTTP traffic.
Here’s some things to note about the <@auto_decode> tag:
If you use the <@auto_decode> tag, the decoded string will include the relevant encoding tags — as shown below: ​
image.png
That means using the <@auto_decode> tag in a request may return an unexpected response, as any tags introduced as part of the decoding process will be sent with the request.

Tags

Encode (converts string to the chosen encoding)

base32: Base32 encode a string
base64: Base64 encode a string
hex_entities: Create Hexadecimal HTML entities from the string
dec_entities: Decimal HTML entities
dec: Converts each character into a decimal escape
hex: Creates a javascript hexadecimal string
urlencode: Javascript escape wrapper (standard urlencode)
urlencode_all: Custom urlencoder (encodes all characters)
utf7: Creates a UTF-7 encoded string to be used with character set attacks

Decode (decodes string that has been encoded)

d_base64: Decodes a base64 encoded string
d_base32: Decodes a base32 encoded string
auto_decode: Decodes string that has been encoded
d_uni: Decodes unicode strings
d_oct: Decodes octal escapes
d_enc: Unescape wrapper (Decodes urlencoded string)
d_realenc: Clone of d_enc tag added for clarity
d_htmlent: Decodes HTML entities
0d_utf7: Decodes a UTF-7 encoded string

Hashing (performs hashing functions on a string)

md4: Performs a MD4 hash of a string
md5: Performs a MD5 hash of a string
sha1: Performs a sha1 hash of a string
sha224: Performs a sha224 hash of a string
sha256: Performs a sha256 hash of a string
hmac_md5: Performs a hmac_md5 hash of a string, uses an argument for the HMAC key
hmac_sha1: Performs a hmac_sha1 hash of a string, uses an argument for the HMAC key

Convert (conversion tags to perform numeric or other special conversions)

hex2rgb: Converts a HTML colour to RGB
rgb2hex: Converts RGB colours to HTML hex colours
dec2hex: Converts a number to hex
dec2oct: Converts a number to octal

SQL (SQL injection tags)

sql_hex: Creates a hex number from each character

Date (date- and time-based tags)

date: Inserts current time and date in the format such as "yyyy-MM-dd HH:mm:ss"
timestamp: Inserts a UNIX timestamp


Encoding with Hackvertor
Before getting started
Ways to encode HTTP traffic
Optional: You’ve encoded your HTTP traffic — what next?
Tags
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.