Decoder
The Decoder tab can be used to encode, decode, and hash any selected text.
Here is a simple login credentials for an example. I can select the first two sections and decode them as Base64 while leaving the signature as plain text.
You could also use it to URL encode a payload to bypass filters.
“Keep in mind: The entire selection is URL encoded with this method. If you want to only URL encode key characters, you can type out the payload in any of the request editors in BurpSuite that has an inspector and right-click and then select Convert selection > URL > URL encode key characters”
Sequencer
The Sequencer tab is used to analyze the randomness of tokens.
You can provide a request and the location in the response where the token appears, or you can select Manual load from the top to just directly input the token.
You can run multiple tests for randomness to see if the token is actually something predictable, or if it has been generated with proper randomness.
Comparer
The Comparer tab works similarly to a git diff. You can paste in sets of text, or you can right-click on two requests and select Send to Comparer. If you have more than two inputs, you select the two to compare.
In this case, I have just pasted in two strings, but you can also load the contents of a file or compare requests or responses.
If you press the Words button in the bottom right you will see this view where changes are highlighted, with modifications, deletions, and additions being different colored highlights.
If you press the Bytes button or select the Hex checkbox in the top right corner of the word compare section, you can switch to the Hex view. You can also select the Sync views checkbox in the bottom right if you have a large file, which will mirror your scrolling and selections between the two text boxes.
As we wrap up our exploration of Burp Suite’s Decoder, Sequencer, and Comparer components, it’s clear that each tool plays a unique role in enhancing your security testing workflow.
- Decoder simplifies the process of handling encoded or encrypted data, making it easier to decode, encode, or hash data formats on the fly.
- Sequencer provides powerful statistical analysis, helping you assess the randomness and predictability of tokens like session IDs.
- Comparer allows for efficient side-by-side comparisons of data, enabling you to spot subtle differences in responses or outputs quickly.
Together, these components bring precision and efficiency to your security testing. Mastering their capabilities will save you time and effort while giving you deeper insights into the vulnerabilities and behaviour of web applications.
In our upcoming blogs, we’ll continue to vulnerabilities and strategies to sharpen your skills. Stay tuned as we explore the full potential of this powerful suite of tools!
Thanks for reading, and as always, happy testing!
