How to Use CyberChef
A practical guide to CyberChef — encoding/decoding, XOR brute force, JWT inspection, regex extraction, and the Magic operation for CTF and security analysis.
TL;DR
CyberChef is a browser-based data transformation pipeline built by GCHQ. Stack operations in any order, hit Bake, and decode layered encodings in seconds — no Python script needed.
What Is CyberChef?
CyberChef is a web application for encoding, decoding, encrypting, decrypting, and analysing data. It runs entirely in your browser at https://gchq.github.io/CyberChef/ — no installation required, and data never leaves your machine.
| Property | Detail |
|---|---|
| Author | GCHQ (UK Government Communications HQ) |
| License | Apache 2.0 (open source) |
| Runtime | Browser (JavaScript only) |
| Offline | Downloadable as a single HTML file from GitHub Releases |
| Operations | 300+ built-in |
Why does CyberChef exist?
Analysts need to reverse arbitrary transformations applied to malware payloads, phishing lures, and exfiltrated data. CyberChef replaces a patchwork of Python one-liners with a single visual pipeline that any analyst can use and share.
Core Concepts
flowchart LR
subgraph INPUT["Input"]
direction TB
I1["Raw text / hex dump / file"]
end
subgraph RECIPE["Recipe (ordered operations)"]
direction TB
O1["From Base64"]
O2["XOR (key)"]
O3["Gunzip"]
O4["Strings"]
O1 --> O2 --> O3 --> O4
end
subgraph OUTPUT["Output"]
direction TB
OUT["Decoded / extracted result"]
end
INPUT --> RECIPE --> OUTPUT
| Term | Meaning |
|---|---|
| Operation | A single transformation step (e.g. “From Base64”, “AES Decrypt”) |
| Recipe | An ordered list of operations applied top-to-bottom |
| Baking | Executing the recipe against the input — automatic by default |
| Magic | Auto-detects encoding layers and suggests a recipe |
| Fork | Splits input on a delimiter and applies the recipe to each chunk independently |
Encoding & Decoding
Base64
The most common CTF encoding layer. Drag “From Base64” onto the recipe, paste input, Bake.
1
SGVsbG8gV29ybGQ= → Hello World
For nested layers (base64 → base64 → base64), use Magic with depth 5–10 and intensive mode — it resolves the full stack automatically.
URL Encoding
1
%48%65%6c%6c%6f%20%57%6f%72%6c%64 → Hello World
Operation: URL Decode
Hex & character encodings
| Input format | Operation |
|---|---|
48 65 6c 6c 6f | From Hex |
\x48\x65\x6c\x6c\x6f | Unescape string |
72 101 108 108 111 (decimal) | From Charcode |
Hel | From HTML Entity |
JBSWY3DPEB… (Base32) | From Base32 |
ROT13 / ROT47
ROT13 shifts [A-Za-z]. ROT47 shifts all printable ASCII — useful for obfuscated shellcode strings and simple CTF ciphers.
Video Demo
CTF One-Shot Recipes
Recipe 1: Layered encoding — Base64 → Hex → ROT13
Add three operations in order:
1
From Base64 → From Hex → ROT13
When the stack is unknown, run Magic (depth 5, intensive mode) first.
Recipe 2: XOR-encrypted shellcode
1
From Hex → XOR (key: 0x5A, scheme: Standard) → Strings
Switch to XOR Brute Force and filter by MZ or This program to identify a PE header in the output.
Recipe 3: JWT — inspect base64url payload
Apply From Base64url to the middle segment of the JWT (between the two dots):
1
From Base64url → JSON Beautify
Recipe 4: Gunzipped + Base64 macro dropper
1
From Base64 → Gunzip → Strings
Common pattern in malicious Office macro payloads and PowerShell droppers.
Recipe 5: DFIR — extract all IoCs from a log blob
Run each extraction separately or use Fork to batch:
1
2
3
Regular expression (URLs)
Regular expression (IP addresses v4)
Regular expression (Email addresses)
Export results with the save icon or copy-to-clipboard.
Recipe 6: UNIX timestamp → UTC datetime (instant)
Paste any UNIX timestamp as input, add one operation:
1
From UNIX Timestamp
1
1751875200 → Sun 07 Jul 2026 04:00:00 UTC
Unit defaults to seconds. Switch to milliseconds for JavaScript-style timestamps (13-digit).
Reverse (UTC string → UNIX): use To UNIX Timestamp.
Tips
- Save recipes as bookmarks — the full recipe is encoded in the URL fragment; share the link and anyone reproduces the exact pipeline.
- Offline use — download
CyberChef_vX.X.X.zipfrom GitHub Releases for air-gapped lab environments. - Input auto-detection — CyberChef infers hex, base64, and raw automatically; set “Input type” explicitly when it misfires.
- Swap input/output — right-click the output pane to use the current output as the next input, useful when chaining transforms.
Key Takeaways
- CyberChef runs 100 % in-browser — paste credentials and hashes safely; nothing is sent to a server
- Magic is the fastest first move when encoding layers are unknown
- XOR Brute Force + known-plaintext filter breaks most single-byte obfuscation in under a second
- Save frequently used recipes as URL bookmarks — one link reproduces the entire pipeline
- Download the offline build for air-gapped or restricted lab environments