Over the past couple of months, I’ve gone through every tool Burp Suite has to offer. Well, almost. After teaching you how to use the Spider, the Intruder, and all the rest, there are only two more tools left. They’re both quite simple, so I’ll just squish both into one post.
Burp Decoder works a little bit like Google Translate. It’s a very simple tool that you can use to encode and decode different types of data. It is different, however, from another set of terms security professionals use, which is decryption and encryption.
Encoding data involves turning one commonly used type of data into another commonly used type of data. There are standards which are available to anyone. It’s essentially translating between languages. Dictionaries are available anywhere, and if I wanted to ask my Polish neighbour “How’s it going?” in Polish, I would tell them the same thing as if I booked a flight to Poland and asked someone there. Encoding has a practical use, but not a security-oriented one. If I had a USB that contained data in ASCII hexadecimal form that I needed to configure with a PC that uses binary, I could easily encode the ASCII hex into binary.
This is different from an encryption, the method of translation of which is known only to a select few. This is the point, so that only people who are allowed to see it should be able to.
So, in order to encode or decode data, simply paste the text into the Decoder. You have two options. If you know what the data is, for example, if you know that a certain part of a web application is using Base64, you can select ‘Decode’ on the right, and decode it as Base64. Burp will then create a second box with the data in our human language. The other way around, if you wanted to take a word and translate that into HTML, simply select the ‘Encode’ option and encode it as such.
Burp Comparer lets you make a comparison between two different pieces of data. Let’s say you wanted to brute-force your way into a login screen. You use Burp Intruder and two sets of data (one for the username and one for the password, for example) to repeatedly fuzz the site and see what kinds of responses you got. This is, by the way, something I also teach how to do on the site. Anyway, you got your results back, and you see that two responses have two different “status” values.
You don’t know what this means, so you right click both and send both to the Comparer. Select them, and then at the bottom right, select the “Words” option. Now you have a side-by-side view of both responses so that you can easily identify the discrepancy.