CyberChef Recipes

Content

About CyberChef

Download CyberChef and use it locally
HTTP requests with CyberChef
Limitations

Flow control operations

Fork and Merge
Subsection
Register
Jump, Conditional Jump, Label and Return

Case Study

About CyberChef

CyberChef is a web application for analyzing and decoding data. The many available operations (functions / activities) allow to extract, convert or reformat certain data.

Several operations can be executed one after the other to further process the data. The operations to be performed are called "recipe" to match the name of the web application.

Only with drag and drop it is possible to extract URLs or e-mail addresses from a text or a file, to convert time information into other time formats or to read EXIF information from image files.

The user interface is simple and mostly self-explanatory. The title bar buttons of the "Input" and "Output" areas can be used to select input files or save the result to a file.

Operations can be added, moved and removed from a recipe using drag and drop. A recipe can be saved and loaded in several formats using the title bar buttons of the "Recipe" area. So it is possible to paste copied recipes - e.g. from this page - into CyberChef. A link with the recipe as parameter can also be saved in the browser as a bookmark.

Download CyberChef and use it locally

The respective version is downloaded directly in CyberChef via the link "Download CyberChef" in the upper left corner. To avoid sending sensitive data over the Internet, CyberChef should always be run locally.

HTTP requests with CyberChef

Due to the security mechanisms of modern web browsers, HTTP requests cannot be executed by CyberChef unless the web server explicitly allows this via HTTP response header - this is called Cross-Origin Resource Sharing (CORS). To still be able to make HTTP requests to arbitrary web servers, the line "Access-Control-Allow-Origin: *" must be added to the web server's response. For Firefox, Chrome and other popular browsers there are various add-ons that allow this. After use, the add-on should be deactivated or the Access-Control-Allow-Origin line should be removed again.

However, there are also other setting options via the response headers, such as a restriction of the URL or the request method. Other solutions are also possible, such as a local proxy server or a dedicated web server that acts as a proxy or returns the desired data.

Limitations

CyberChef can only handle a manageable amount of data. For example, large log files of several megabytes require so much processing time that another solution is more appropriate.

Complex tasks cannot be realized or can only be realized with great effort. In these cases, a simple script or program is more suitable.

Flow control operations

"Flow control" contains operations that affect the sequence in which a recipe is processed. They can be used to define conditions for processing or to execute work steps only for certain data.

The "Comment" operation allows you to enter comment texts. Comments are especially useful for more complex recipes, but can also be useful for general description of the recipe.

Fork and Merge

"Fork" divides the data and processes each part individually. Afterwards, the parts are merged again with "Merge". This makes it possible, for example, to process the lines of a text individually.

Example input:

1 1 1
2 2 2
3 3 3

The numbers in the three lines are to be added. For this purpose, "Fork" is added to the recipe. The default setting of "Fork" already separates the data into lines. With the operation "Sum" and a space as separator, the addition of all numbers of a line is done.

The output is now:

3
6
9

"Merge" merges the processing again. A second Sum operation with the "Line feed" separator adds the lines together and outputs the number 18.

Fork('\\n','\\n',false)
Sum('Space')
Merge(true)
Sum('Line feed')

Try example

Subsection

The "Subsection" operation works similarly to "Fork", except that the subsequent operations are performed on specific data. These are determined with a regular expression.

Example input:

123 # 456 # 789

A Subsection operation with the expression "[0-9]+" under "Section" processes all contiguous numbers with the next operations one by one. For example, the operation "CRC-16" calculates the checksums of each number separately, resulting in the output "ba04 # 88d6 # 1c62".

Subsection('[a-zA-Z0-9]+',true,true,false)
CRC-16_Checksum()

Try example

Register

"Register" allows to temporarily store certain data that can be used later in other operations. The selection of data for the registers is done with the capture groups of a regular expression. The registers are specified with "$Rn", where "n" is a number and stands for the corresponding zero-based capture group.

Example input:

1+2=3

A register operation with the extractor expression "([0-9]+)\+([0-9]+)=([0-9]+)" stores the numbers before and after the plus sign, as well as the result in one register each.

In a "Find / Replace" operation, "=$R2" is searched for, which corresponds to the text "=3". The replacement with " makes $R2 ($R0 plus $R1)" finally results in the text "1+2 makes 3 (1 plus 2)".

Register('([0-9]+)\\+([0-9]+)=([0-9]+)',true,false,false)
Find_/_Replace({'option':'Regex','string':'=$R2'},' makes $R2 ($R0 plus $R1)',true,false,true,false)

Try example

Jump, Conditional Jump, Label and Return

Jump operations can be used to skip processing steps that are not required or not desired. A "Conditional Jump" is only executed if a regular expression is true.

"Label" is used to identify a location in the recipe as a jump target for the "Jump" and "Conditional Jump" operations. To continue processing at a label, the name of the label must be specified in the Jump operation.

"Return" is an instruction to end the execution of the recipe at this point. In conjunction with enabling and disabling the operation, this is good for testing a recipe section.

Example input:

https%3A%2F%2Fwww.gaijin.at%2F
aHR0cHM6Ly93d3cuZ2FpamluLmF0Lw

These two lines each contain the URL "https://www.gaijin.at/" in URL encoding and Base64 encoding. To decode the lines depending on the content, the operation "Conditional Jump" is used after a fork operation. If a percent sign followed by a hexadecimal character is found, the processing should continue after the label "urldecode". Otherwise the input is decoded with Base64 and the processing is terminated afterwards with "Return". After the Return operation the label "urldecode" is placed, followed by the URL decode operation.

Fork('\\n','\\n',false)
Conditional_Jump('%[a-zA-Z0-9]{2}',false,'urldecode',10)
From_Base64('A-Za-z0-9+/=',true,false)
Return()
Label('urldecode')
URL_Decode()

Try example

Case Study

Now let's look at an example of a web page that tries to obfuscate some parts of the source code. The letters and numbers in the labels were changed, but the look remained the same. The URL shortener service and the destination address have also been changed.

...
<script>/* u4l14g9r53o4 */
function h43v73s30w75p(j6l3n8e67q){/* k5f54i12t16u19r9 */ return j6l3n8e67q.split('').reverse().join('');/* p3n60r82g8d3 */}
function j12k7u6d96r(){/* u4l14g9r53o4 */ window.location.href = h43v73s30w75p(atob('MHBhQXMveWwudC8vOnNwdHRo')); /* k5f54i12t16u19r9 */}
if ( navigator.userAgent.indexOf("Google") != -1 ) {/* j6l3n8e67q */ document.writeln('<style>#i87z4o8g84 {display:none;}</style>'); /* p3n60r82g8d3 */ } else { /* u4l14g9r53o4 */ document.writeln('<style>#i87z4o8g84 {display:block;}</style>'); /* k5f54i12t16u19r9 */ }
/* p3n60r82g8d3 */</script>
...
<a id="o6h9e18b12" href="#" onclick="j12k7u6d96r();return false;">
...

At first glance, there are only random strings of letters and numbers. In the lower part, the link refers to a JavaScript function called "j12k7u6d96r". This contains an assignment of a value to the "window.location.href" property. If a URL is assigned to this property, the browser open this address in the same window. Obviously, an attempt was made to obfuscate this URL.

To display the source code more clearly, we copy the code between the script tags and paste it as input to CyberChef. The operation "JavaScript Beautify" formats the source code. For the option "Include comments" we remove the check mark to also remove the comments that only serve to confuse anyway.

The recipe

JavaScript_Beautify('\\t','Auto',true,false)

produces the output:

function h43v73s30w75p(j6l3n8e67q) {
    return j6l3n8e67q.split('').reverse().join('');
}
function j12k7u6d96r() {
    window.location.href = h43v73s30w75p(atob('MEhRRGsveWwudC8vOnNwdHRo'));
}
if (navigator.userAgent.indexOf('Google') != -1) {
    document.writeln('');
} else {
    document.writeln('');
}

Now we try to find out the actual address, which is obfuscated by several functions. The string "MEhRRGsveWwudC8vOnNwdHRo" is used as the initial text, which is passed to the first (innermost) function as a parameter. The JavaScript function "atob" is used to decode a text encoded in Base64. Then the user-defined function "h43v73s30w75p" uses JavaScript functions to split the text into individual characters. These are then arranged in reverse order and joined again.

We recreate this with CyberChef by using the text "MEhRRGsveWwudC8vOnNwdHRo" as the new input. We now replace the recipe with:

From_Base64('A-Za-z0-9+/=',true,false)
Reverse('Character')

The result is the URL "https://t.ly/kDQH0", which belongs to a URL shortener service. Such short URLs point to other - usually longer - URLs.

With the online tool "Website Information" we can now determine the actual target URL. To do this, we enter the short URL in the "URL" input field and set the number of redirects to "0". After sending the request, we get the HTTP headers of the server response as a result.

We can see from the status code 302 in the first line that this is a redirection. The destination of this redirection and the actual address we are looking for is in the "Location" line (address changed).