Skip to main content

CyberChef

CyberChef is GCHQ's open-source web application for data transformation, widely known as "The Cyber Swiss Army Knife." Hawkra embeds CyberChef v10.19.4 directly into the platform, giving you access to hundreds of data encoding, decoding, encryption, and analysis operations without leaving your browser or switching to an external tool.

CyberChef embedded in Hawkra

How It Works

CyberChef is loaded as a fully embedded application within Hawkra's interface. When you navigate to CyberChef from the top navigation bar, the tool loads in an isolated iframe with its own scripting and form handling capabilities. All processing happens locally in your browser -- no data is sent to any external server.

The CyberChef interface uses a drag-and-drop "recipe" model:

  1. Input -- Paste or type the data you want to transform in the Input panel.
  2. Recipe -- Drag operations from the Operations panel into the Recipe panel to build your transformation pipeline. Operations execute in order, top to bottom.
  3. Output -- The transformed result appears in the Output panel in real time as you modify the recipe.

You can chain multiple operations together to create complex transformation pipelines. For example, you could Base64-decode a string, then XOR it with a key, then extract URLs with a regex -- all in a single recipe.

Common Security Testing Use Cases

CyberChef is particularly useful during penetration testing and vulnerability analysis for tasks that involve transforming, encoding, or analyzing data.

Encoding and Decoding

  • Base64 -- Encode and decode Base64 strings, commonly found in HTTP headers, JWT tokens, and encoded payloads.
  • URL Encoding -- Encode and decode URL-encoded strings for testing web application input handling and parameter tampering.
  • Hex -- Convert between hexadecimal and raw bytes for analyzing binary protocols, shellcode, or memory dumps.
  • HTML Entities -- Encode and decode HTML entities for XSS payload development and analysis.

Hashing

  • MD5 -- Generate MD5 hashes for file integrity checks or password hash comparison.
  • SHA-1 -- Compute SHA-1 digests for certificate fingerprinting and integrity verification.
  • SHA-256 -- Generate SHA-256 hashes for secure file verification and comparing against known-good hashes.
  • HMAC -- Compute keyed-hash message authentication codes for API signature verification.

Encryption and Decryption

  • AES -- Encrypt and decrypt data using AES with various modes (CBC, ECB, GCM) and key sizes for testing application encryption implementations.
  • XOR -- Apply XOR operations with single-byte or multi-byte keys, commonly used for deobfuscating malware payloads and simple ciphers.
  • DES / Triple DES -- Work with legacy encryption schemes still found in older systems.
  • RSA -- Perform RSA operations for testing public-key cryptography implementations.

Data Extraction

  • Regular Expressions -- Extract patterns from text, such as IP addresses, email addresses, URLs, or file paths from logs and output.
  • JSON Parsing -- Pretty-print, minify, or extract values from JSON payloads returned by APIs.
  • XML Parsing -- Format and extract data from XML responses and SOAP payloads.
  • Extract Files -- Carve embedded files from binary data streams.

Format Conversion

  • Character Encoding -- Convert between UTF-8, ASCII, Latin-1, and other character encodings.
  • Timestamp Conversion -- Convert between Unix timestamps, ISO 8601, and human-readable date formats.
  • Number Base Conversion -- Convert between decimal, hexadecimal, octal, and binary representations.
  • JWT Decode -- Decode and inspect JSON Web Token headers and payloads without verification.

Available Module Categories

CyberChef organizes its operations into categories. The following modules are available in the embedded version:

ModuleExamples
HashingMD5, SHA-1, SHA-256, SHA-512, HMAC, RIPEMD, CRC
CryptoAES, DES, RSA, Blowfish, RC4, Rabbit
CiphersROT13, Vigenere, Affine, Atbash, Bifid
EncodingBase64, Hex, URL, HTML, Unicode, Morse Code
CodeJavaScript, Python, PHP beautify and minify, syntax highlighting
ChartsScatter plots, hex density, frequency distribution
CompressionGzip, Bzip2, Zlib, Deflate, LZString
ImageConvert to/from Base64, render hex as image, extract EXIF
OCROptical character recognition from image data
PGPPGP encrypt, decrypt, sign, verify
RegexPattern matching, extraction, replacement
SerializationJSON, XML, YAML, MessagePack, Protobuf
URLParse URLs, encode/decode components, extract query parameters
YARAWrite and test YARA rules against input data

Key Actions

ActionHow
Open CyberChefClick CyberChef in the top navigation bar
Build a recipeDrag operations from the left panel into the Recipe area
Transform dataPaste data into Input; view results in Output
Chain operationsAdd multiple operations to Recipe; they execute top to bottom
Save a recipeUse CyberChef's built-in save/load recipe feature
Clear everythingClear the Input, Recipe, and Output panels to start fresh

Tips and Notes

  • All processing is local. CyberChef runs entirely in your browser. No data is transmitted to Hawkra's servers or any third party. This makes it safe to use with sensitive data such as credentials, tokens, and encrypted payloads.
  • Recipes are shareable. CyberChef can export recipes as compact URLs or JSON. Share a recipe with team members so they can reproduce your exact transformation pipeline.
  • Use it alongside OSINT tools. When an OSINT lookup returns encoded or obfuscated data, switch to CyberChef to decode it. For example, decode a Base64-encoded WHOIS field or decrypt an XOR-obfuscated payload found during a Shodan search.
  • JWT analysis. During web application testing, paste a JWT into the Input and use the "JWT Decode" operation to inspect the header and payload claims without needing an external tool.
  • Malware deobfuscation. Chain XOR, Base64 decode, and gunzip operations to peel back layers of obfuscation commonly found in malware droppers and encoded shellcode.
  • Sandboxed execution. The embedded CyberChef runs in a sandboxed iframe with restricted permissions (scripts, same-origin, forms, and downloads only). This provides an additional layer of isolation.