Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Support multiple alphabets/custom alphabets for Base64 encoding/decoding detection

Ira | Last updated: Sep 15, 2023 01:28PM UTC

Decoder would be a lot more powerful if custom alphabets could be used against Base64 encoding out of the box. Several cases of Base64 encoding have been overlooked from my testing before because the parser for the server didn't use the same alphabet as RFC 4648, but used alternative encoding patterns, such as Radix-64 (RFC 4880). Given how much of a difference decoding from an alternate alphabet makes the results appear, it'd be especially valuable to customize which ones to run when attempting Base64 decoding, or even including the same lists to check against like what CyberChef already offers out of the box. Detecting these alternate patterns would likely not involve a lot of changes in the Burp code base, but help expose a lot more simple encodings out there on the web that currently would require manual checking to see.

Ira | Last updated: Sep 15, 2023 03:56PM UTC

At least minimally, common alternative alphabets such as z64 (zip base 64), radix, xxe encoding, or Unix crypt should be supported by default as well, and allow for others to be easily loaded as needed. Less common alphabets, such as those used for Megan35 or Zong22 I feel are fine to leave to being user added as needed.

Michelle, PortSwigger Agent | Last updated: Sep 18, 2023 08:17AM UTC

Thanks for getting in touch. We'll pass this on so that the team can see what people would find helpful when revisiting and updating the Decoder tool. In the meantime, would any of the BApps in the BApp Store help? For example, Decoder Improved exposes every hashing algorithm included in the BouncyCastle Java crypto library: https://portswigger.net/bappstore/0a05afd37da44adca514acef1cdde3b9

Ira | Last updated: Sep 19, 2023 06:34PM UTC

It does not. I tend to prefer Hackvertor, which has more coverage overall, but still doesn't check for things like Radix-64 or z64.

Michelle, PortSwigger Agent | Last updated: Sep 20, 2023 08:20AM UTC