Burp Suite’s built-in decoder component, while useful, is missing important features and cannot be extended. To remedy this, I developed Decoder Improved, a drop-in replacement Burp Suite plugin.
It includes all of decoder’s functionality while fixing bugs, adding tabs, and includes an improved hex editor. Additionally, the plugin’s functionality is straightforward to extend to accommodate any custom data encoding and decoding needs.
Burp Suite Decoder
Burp Suite includes an easy-to-use data manipulation toolkit that allows a user to manipulate data by setting a series of transformation filters. These filters allow users to perform simple data manipulation including URL, HTML, Base64, ASCII Hex, Hex, Octal, Binary, and Gzip encoding and decoding; it also includes a few basic hashing functions. Additionally, Burp Suite’s decoder has a hex editor and a smart decode option that automatically picks a reasonable decoding method. While this set of functionality is useful, it suffers from several issues that limit it heavily:
- It does not have tabs, which prevents a user from manipulating multiple pieces of data separately.
- It fails to handle non-ASCII data correctly.
- Its hex editor is severely limited and cannot be extended via the Burp Extender API to perform custom encoding and decoding.
Decoder’s weaknesses
A lack of tabs
Unlike many of Burp’s other features, the decoder does not support tabs which makes managing multiple chunks of data difficult.
A difficult to use hex editor
The included hex editor requires users to right click to insert new bytes or delete existing bytes. Additionally, each byte in the hex editor is a text box making data entry difficult.
Cannot handle non-ASCII text
Decoder truncates text characters to one byte, mangling Unicode characters. This makes dealing with non-English character sets brutal.
Impossible to extend
Because Burp Suite is closed-source, it is not feasible to fix bugs and extend the existing decoder.
Decoder Improved
Decoder Improved is a data transformation plugin for Burp Suite that better serves the varying and expanding needs of information security professionals. Decoder Improved includes the following useful features:
All of the built-in Burp decoder modes
Decoder Improved supports all of decoder’s encoding, decoding, and hashing modes. Decoder Improved can encode and decode URL, HTML, Base64, ASCII Hex, and GZIP. Additionally, Decoder Improved can hash data using MD2, MD5, SHA, SHA-224, SHA-256, SHA-384, and SHA-512.
Tabs
Like many of Burp Suite’s features, Decoder Improved has support for tabs, enabling users to manipulate separate pieces of data simultaneously without having to erase existing work.
Unicode support
Decoder Improved is backed by arrays of Java Bytes that do not truncate or modify Unicode characters through the modification process. Because Java’s Swing elements support displaying Unicode characters, so does Decoder Improved.
An improved hex editor
Decoder Improved comes bundled with the Delta Hexadecimal Editor, a swing hex editor, developed by the ExBin project. Delta provides an improved hex editing experience over the built-in decoder’s hex editor by allowing easy insertion and removal, highlighting, and Unicode support.
Arbitrary numeric base conversion
Decoder Improved can convert any number represented in base two to base 32 (the largest base supported by Java) to its representation in any other base between base two and base 32.
Regex find replace
Decoder Improved can perform regular expression find and replace over input to quickly transform text.
HTML/URL encode only special characters
When HTML and URL encoding strings in decoder, every character in the string is encoded, which limits human readability and occasionally trips broken input filtering rules. Decoder Improved includes encoding modes that only encode special characters while leaving alphanumerics untouched.
Every hashing algorithm available in BouncyCastle
In addition to every hashing algorithm exposed within Burp Suite’s built-in decoder, Decoder Improved exposes every hashing algorithm included in the BouncyCastle Java crypto library. In contrast, decoder only contains a smattering of hashing algorithms that do not cover the entire range of hashing needs encountered during testing.
An easy extension interface
In the next blog post covering Decoder Improved, we will walk through examples of how to extend Decoder Improved and add new encoding modes, including a FooBar encoder and a Text Replace mode.
Decoder Improved is available for download at https://github.com/nccgroup/Decoder-Improved.
Published date: 13 September 2017
Written by: Justin Moore