Post

How to Use CyberChef

A practical guide to CyberChef — encoding/decoding, XOR brute force, JWT inspection, regex extraction, and the Magic operation for CTF and security analysis.

How to Use CyberChef

TL;DR

CyberChef is a browser-based data transformation pipeline built by GCHQ. Stack operations in any order, hit Bake, and decode layered encodings in seconds — no Python script needed.


What Is CyberChef?

CyberChef is a web application for encoding, decoding, encrypting, decrypting, and analysing data. It runs entirely in your browser at https://gchq.github.io/CyberChef/ — no installation required, and data never leaves your machine.

Property Detail
Author GCHQ (UK Government Communications HQ)
License Apache 2.0 (open source)
Runtime Browser (JavaScript only)
Offline Downloadable as a single HTML file from GitHub Releases
Operations 300+ built-in

Why does CyberChef exist?
Analysts need to reverse arbitrary transformations applied to malware payloads, phishing lures, and exfiltrated data. CyberChef replaces a patchwork of Python one-liners with a single visual pipeline that any analyst can use and share.


Core Concepts

flowchart LR
    subgraph INPUT["Input"]
        direction TB
        I1["Raw text / hex dump / file"]
    end

    subgraph RECIPE["Recipe (ordered operations)"]
        direction TB
        O1["From Base64"]
        O2["XOR (key)"]
        O3["Gunzip"]
        O4["Strings"]
        O1 --> O2 --> O3 --> O4
    end

    subgraph OUTPUT["Output"]
        direction TB
        OUT["Decoded / extracted result"]
    end

    INPUT --> RECIPE --> OUTPUT
Term Meaning
Operation A single transformation step (e.g. “From Base64”, “AES Decrypt”)
Recipe An ordered list of operations applied top-to-bottom
Baking Executing the recipe against the input — automatic by default
Magic Auto-detects encoding layers and suggests a recipe
Fork Splits input on a delimiter and applies the recipe to each chunk independently

Encoding & Decoding

Base64

The most common CTF encoding layer. Drag “From Base64” onto the recipe, paste input, Bake.

1
SGVsbG8gV29ybGQ=  →  Hello World

For nested layers (base64 → base64 → base64), use Magic with depth 5–10 and intensive mode — it resolves the full stack automatically.

URL Encoding

1
%48%65%6c%6c%6f%20%57%6f%72%6c%64  →  Hello World

Operation: URL Decode

Hex & character encodings

Input format Operation
48 65 6c 6c 6f From Hex
\x48\x65\x6c\x6c\x6f Unescape string
72 101 108 108 111 (decimal) From Charcode
Hel From HTML Entity
JBSWY3DPEB… (Base32) From Base32

ROT13 / ROT47

ROT13 shifts [A-Za-z]. ROT47 shifts all printable ASCII — useful for obfuscated shellcode strings and simple CTF ciphers.


Video Demo


CTF One-Shot Recipes

Recipe 1: Layered encoding — Base64 → Hex → ROT13

Add three operations in order:

1
From Base64  →  From Hex  →  ROT13

When the stack is unknown, run Magic (depth 5, intensive mode) first.

Recipe 2: XOR-encrypted shellcode

1
From Hex  →  XOR (key: 0x5A, scheme: Standard)  →  Strings

Switch to XOR Brute Force and filter by MZ or This program to identify a PE header in the output.

Recipe 3: JWT — inspect base64url payload

Apply From Base64url to the middle segment of the JWT (between the two dots):

1
From Base64url  →  JSON Beautify

Recipe 4: Gunzipped + Base64 macro dropper

1
From Base64  →  Gunzip  →  Strings

Common pattern in malicious Office macro payloads and PowerShell droppers.

Recipe 5: DFIR — extract all IoCs from a log blob

Run each extraction separately or use Fork to batch:

1
2
3
Regular expression (URLs)
Regular expression (IP addresses v4)
Regular expression (Email addresses)

Export results with the save icon or copy-to-clipboard.

Recipe 6: UNIX timestamp → UTC datetime (instant)

Paste any UNIX timestamp as input, add one operation:

1
From UNIX Timestamp
1
1751875200  →  Sun 07 Jul 2026 04:00:00 UTC

Unit defaults to seconds. Switch to milliseconds for JavaScript-style timestamps (13-digit).
Reverse (UTC string → UNIX): use To UNIX Timestamp.


Tips

  • Save recipes as bookmarks — the full recipe is encoded in the URL fragment; share the link and anyone reproduces the exact pipeline.
  • Offline use — download CyberChef_vX.X.X.zip from GitHub Releases for air-gapped lab environments.
  • Input auto-detection — CyberChef infers hex, base64, and raw automatically; set “Input type” explicitly when it misfires.
  • Swap input/output — right-click the output pane to use the current output as the next input, useful when chaining transforms.

Key Takeaways

  • CyberChef runs 100 % in-browser — paste credentials and hashes safely; nothing is sent to a server
  • Magic is the fastest first move when encoding layers are unknown
  • XOR Brute Force + known-plaintext filter breaks most single-byte obfuscation in under a second
  • Save frequently used recipes as URL bookmarks — one link reproduces the entire pipeline
  • Download the offline build for air-gapped or restricted lab environments

References

This post is licensed under CC BY 4.0 by the author.