Encoding with Hackvertor
Before getting started
Hackvertor can tag and convert traffic in a number of ways — such as URL encoding a SQL statement or text transforming a string to upper case. You might want to tag traffic and have Hackvertor convert tags on send, or convert traffic first to get a preview of what you’re about to use.
Want to know what Hackvertor can do before you jump in? Check out .
Encoding is done in the following steps:
Place tags around HTTP traffic you want to encode or transform. Convert the traffic you want to encode to apply those tags.
Want a quick visual guide? 🎦 next to a title means there’s a GIF at that end of that section — just in case you want a brief visual walkthrough.
Ways to encode HTTP traffic
As Hackvertor can be used throughout Burp Suite, how you tag traffic for sending depends on which area of Burp Suite you’re in. For example, tagging traffic in Repeater differs to tagging traffic in Hackvertor tabs.
You might not tag and convert the same way every time you want to encode or transform traffic. Or you might want to encode in one tab and convert elsewhere later, for example.
Here’s how and why you might
You can’t insert tags into traffic in the Intruder tab. Instead, you can invoke Hackvertor to tag payloads. Refer to Encode payloads in the Intruder tab below for more information.
Click a method that suits you for more information:
Encode HTTP traffic in a Burp Suite tab 🎦
Recommended for if you want to quickly tag data , and don’t need to worry about previewing first.
Recommended for if you want to HTTP traffic conversion before use.
Recommended for if
Preview encoded traffic:
You can preview encoded traffic in the following ways:
If you’re in a the x tabs, you can click the Hackvertor tab — this will In a Hackvertor subtab, contents are
In Proxy and Repeater, you can tag traffic to be converted when sending a request or launching an attack. For example, you might want to quickly tag traffic you happen to be working on.
In the Intercept tab or the Repeater tab:
Drag-select to highlight the traffic you want to tag for conversion. Right-click and hover over Extensions. Then hover over Hackvertor. Hover over the list of tag categories, then click the tag you want to apply — such as urlencode. With your traffic tagged for conversion, you can now: Send traffic: Send or forward your tagged traffic, as Hackvertor will convert it and encode it for you. Convert traffic in the editor window before sending: Right-click > Extensions > Hackvertor > Convert tags. Transfer traffic to a Hackvertor tab for tagging, conversion and storage: Drag-select the traffic you want to transfer > right-click > Extensions > Hackvertor > Send to Hackvertor.
Encode HTTP traffic in a Hackvertor subtab 🎦
A number of tabs, such as the Repeater tab and Intercept tab, include a Hackvertor subtab which allows you to convert and review HTTP traffic before using it.
Once you’ve converted HTTP traffic, you can move it to Burp Suite tabs — as explained below:
In a Burp Suite tab, such as the Repeater tab, click the Hackvertor subtab. This will automatically convert any tags already inserted. To insert additional tags: Above the Hackvertor tab, click the category of tag you want to apply — such as Encode. Then click the tag you want to insert, such as urlencode. Tagged HTTP traffic will be automatically converted. With HTTP traffic in the Output box, you can now: Transfer HTTP traffic back into the Burp Suite tab: Click Swap > then click the Raw tab. Once transferred to the Raw tab, transfer encoded HTTP traffic to a Hackvertor tab:
In the Raw tab, drag-select the traffic you want to transfer > right-click > Extensions > Hackvertor > Send to Hackvertor.
Encode HTTP traffic in a Hackvertor tab 🎦
You can use the Hackvertor section of Burp Suite to tag and convert traffic in multiple tabs. You might want to compare and contrast requests and responses across multiple tabs, for example.
To transfer traffic from a Burp Suite tab to a Hackvertor tab: Drag-select the traffic you want to transfer > right-click > Extensions > Hackvertor > Send to Hackvertor. If you want to clear decode tags, click Clear tags. In the Hackvertor tab, drag-select the HTTP traffic you want to tag. Above the tab, click the category of tag you want to apply — such as Encode. Click the tag you want to insert — such as urlencode. With your traffic automatically encoded in the Output box, you can now: Copy and paste the converted traffic to other tabs in Burp Suite. Click the ... icon at the top of the tab to open a new Hackvertor tab, where you can tag and encode another set of traffic.
Encode payloads in the Intruder tab 🎦
You can use Hackvertor in the Intruder tab to encode the contents of a payload. Anything defined as a payload position — which is traffic marked between § — will be converted when the attack is launched.
To do this, we’ll invoke Hackvertor in the Intruder tab to process the payload:
In the Intruder tab, set up any positions. Click the Payloads tab. Then set up your payload sets and settings. Under Payload processing, click Add. From the drop down list, select Invoke Burp extension. In the Select process drop down list, select the tags you want to apply to the respective payloads — such as Hackvertor_Uppercase. Anything defined as a payload position, content between two § — such as §Gift§ — will be converted by Hackvertor when the attack is launched. To see the encoded HTTP traffic: In the Intruder attack window, click a request. In the Raw tab below, you will see the converted request. In this case, Carlos is presented in uppercase.
Optional: You’ve encoded your HTTP traffic — what next?
You’ve tagged and converted your traffic — it worked! Now you might want to consider extras such as:
You can transfer traffic from Burp Suite tab to a Hackvertor tab for safekeeping
You can transfer HTTP traffic from the Request and Response boxes to a Hackvertor tab. You might want to store a successful GET request, or perform additional encoding on that request.
To transfer traffic to a Hackvertor tab:
In a Request or Response box, drag-select the traffic you want to transfer. Right-click and hover over Extensions. Then hover over Hackvertor. Click Send to Hackvertor. A Hackvertor tab will open, where you can tag and convert HTTP traffic.
You can review encoded HTTP traffic using the Inspector 🎦
After sending encoded traffic, you might want to see both the decoded input and the encoded output.
If you’ve sent or forwarded HTTP traffic using the Repeater tab or the Intercept tab, you can use the Inspector panel to inspect its encoded contents in more detail.
You can decode your encoded HTTP traffic
You can use the <@auto_decode> tag to decode HTTP traffic.
Here’s some things to note about the <@auto_decode> tag:
If you use the <@auto_decode> tag, the decoded string will include the relevant encoding tags — as shown below:
That means using the <@auto_decode> tag in a request may return an unexpected response, as any tags introduced as part of the decoding process will be sent with the request.
Encode (converts string to the chosen encoding)
Decode (decodes string that has been encoded)
d_base64: Decodes a base64 encoded string d_base32: Decodes a base32 encoded string auto_decode: Decodes string that has been encoded d_uni: Decodes unicode strings d_oct: Decodes octal escapes d_enc: Unescape wrapper (Decodes urlencoded string) d_realenc: Clone of d_enc tag added for clarity d_htmlent: Decodes HTML entities 0d_utf7: Decodes a UTF-7 encoded string
Hashing (performs hashing functions on a string)
md4: Performs a MD4 hash of a string md5: Performs a MD5 hash of a string sha1: Performs a sha1 hash of a string sha224: Performs a sha224 hash of a string sha256: Performs a sha256 hash of a string hmac_md5: Performs a hmac_md5 hash of a string, uses an argument for the HMAC key hmac_sha1: Performs a hmac_sha1 hash of a string, uses an argument for the HMAC key
Convert (conversion tags to perform numeric or other special conversions)
hex2rgb: Converts a HTML colour to RGB rgb2hex: Converts RGB colours to HTML hex colours dec2hex: Converts a number to hex dec2oct: Converts a number to octal
SQL (SQL injection tags)
sql_hex: Creates a hex number from each character
Date (date- and time-based tags)
date: Inserts current time and date in the format such as "yyyy-MM-dd HH:mm:ss" timestamp: Inserts a UNIX timestamp