gchq / cyberchef Goto Github PK

Great tool.

Any chance you could add event and time based one time password generation

The html_inline task in Grunt needs to be updated as the download image filename has changed and the pattern no longer matches.

Releasing CyberChef is an incredible act of generosity! Thank you so much!

Sometime between November 28 when it worked on an iPad and now, the web app stopped working. In particular, the operations tab no longer appears and the layout of the input/output areas is below the Bake button. Nor do links at the top right function. I suspect a JavaScript error is interrupting the page load but the debugging environment on iOS is not conducive to seeing what is going on.

firefox 48.0.2.

About/Support dialog > FAQs tab:

the anchors on the current 3 faqs for some reason do not create the usual cursor (pointer). not sure why. the blockquote??

possible fixes (not all checked):

• add ids
• blockquote a { cursor: pointer; }
• a[data-target='#faq-examples'] { cursor: pointer; }
• a[data-target='#faq-load-files'] { cursor: pointer; }
• a[data-target='#faq-fork'] { cursor: pointer; }

other...

html (starting line 301): https://github.com/gchq/CyberChef/blob/master/src/html/index.html

Thank you for great tool!

It will be nice to see algorithms from ISO14443 and ISO13239 contactless smartcards standards.

• CRC16_A Initial register 0x6363 or 0xC6C6 in reversed bit order.
  Polynomial is 0x1021 and no final XOR.
• CRC16_B
• BCC (Bit Count Check) — simple successively XOR-ing all bytes

I've made my own calculator for example https://hub.zhovner.com/tools/nfc/

I'm trying something very simple and I can't figure out if the flaw is on me or on them.

1. Take a base64 encoded payload as Input: "AAAAI9Dw0qHYq9+61/XPtJS20bTAn+yV5o/hh+jK8J7rh+vLtpbr". I use the "From Base64" module.

2. The result is differential XOR crypt. The seed is 171. I select the XOR module and use 171 as the key. Then i pick "differential" option. Doesn't work.

Recipe:
[{"op":"From Base64","args":["A-Za-z0-9+/=",false]}
{"op":"Drop bytes","args":["0","4",false]}
{"op":"XOR","args":[{"option":"Hex","string":"AB"},false,true]}]

Am I missing something? This is a very simple example.

The simple python code that decodes it is this:

def decrypt(string):
key = 171
result = ""
for i in string:
a = key ^ ord(i)
key = ord(i)
result += chr(a)
return result

string = "AAAAKtDygfiL/5r31e+UtsWg1Iv5nPCR6LfEsNGlwOLYo4HyhueT9tTu36Lfog=="
result = decrypt(base64.b64decode(string)[4:])
print "decoded: ", result
print "Length: " , struct.unpack("I", string[0:4])

Can we have a tag or a release please?

As a packager, without a tag or release, it is difficult to create reproducible builds without this.

Request summary

Development of an operation to calculate MD6 hashes. CyberChef already supports MD5 hashing thanks to CryptoJS (example and code).

Arguments

• Output length - Allow the user to specify the digest length from a list including at least 128, 256, and 512 (see SHA3 for an example)

Example input and output

Digest length == 128
Input: Test
Output: bc7e7a90c6610310a6c386ba0482c889

Digest length == 256
Input: Test
Output: 2543e1c393d880e4564fed11f15d03ade6c5ccb9dbbd45ff1808010cbd82bdd2

Digest length == 512
Input: Test
Output: 702fd91632a6df15bb5041eb2ea031f7b931564eeb5324e92250bf2f4a8cb5eb7f40a607341b1ede16c880040bd04ab828f9aa81b5da3967111cdcdafd390839

Resources

https://en.wikipedia.org/wiki/MD6
http://groups.csail.mit.edu/cis/md6/submitted-2008-10-27/Supporting_Documentation/md6_report.pdf
http://groups.csail.mit.edu/cis/md6/ - An implementation in C can be found in the Downloads section
https://github.com/Snack-X/md6 - Includes a JavaScript implementation (which will need to be checked for correctness)

Currently all your libs are manually specified:

https://github.com/gchq/CyberChef/blob/master/Gruntfile.js#L46-L125

This is a DRY violation and a pain to maintain.

Choose a modern module bundler: webpack, rollup, bunch etc: https://webpack.js.org/get-started/why-webpack/#comparison

When using the "Find / Replace" Operation with the "Extended" and "Simple string" options, the first instance of the text is replaced and no recursion takes place (with and without the "Multiline matching" option checked).

The sample case:

Attachment MESSAGE_7.zip

Attachment MESSAGE_9.zip

Attachment MESSAGE_0.zip

When using "Extended" with one Find / Replace recipe finding "\r\n" or two recipes finding "\r" and "\n", replacing with "" (nothing), the first line is modified and no others (with or without "Multiline matching" enabled). However, utilizing these Extended search terms as "Regex" in two recipes, all new lines are removed.

When using "Simple string" to find "Attachment " or "Attachment " and replace it with "" (nothing), the same behavior noted above for "Extended" occurs. Only the first line is modified, unless the option is toggled to "Regex", then all lines are parsed.

My initial workaround was to create one recipe parsing to replace about ten lines with Regex, move the data to Notepad++ to replace the Extended and Simple string, then back to CyberChef to use a second recipe to bake out the final changes needed. After testing, I am able to use the Regex option as a workaround to find/replace the needed Extended and Simple string in one recipe.

Request summary

Development of operations to calculate MD2 and MD4 hashes. CyberChef already supports MD5 hashing thanks to CryptoJS (example and code).

Example input and output

MD2
Input: Test
Output: 1178f3ddf625018179a93c1a0298dfa9

MD4
Input: Test
Output: 5d9381b52cd41a87bc8fcc7726aec03a

Resources

https://en.wikipedia.org/wiki/MD2_(cryptography)
https://en.wikipedia.org/wiki/MD4

Request summary

Development of operations to calculate Fletcher-32 and Fletcher-64 checksums. CyberChef already supports Fletcher-16 (example and code).

Example input and output

Fletcher-32
Input: Test
Output: 03d901a0

Fletcher-64
Input: Test
Output: Currently unavailable

Resources

https://en.wikipedia.org/wiki/Fletcher%27s_checksum

Using the following babel config you can encode your supported browsers:

{
  "presets": [
    ["env", {
      "targets": {
        "chrome": 55,
        "firefox": 50,
      },
      "modules": false,
    }]
  ]
}

This way you'll be able to use all features of es2016 and those features not supported in chrome or firefox will be automatically translated by babel.

modules: false is set because module bundlers need the "import/export" keywords to create an optimized bundle.

It works fine in Chrome on iMac but not in Chrome on IPad, I guess the drag target event might not be handled. Mostly other things seem to be fine on an iPad. The app is a boon due to the paucity of text tools on the device.

Add the possibility to create files for translation. Usefull for operations name, arguments and description

It would be nice to have the ability to add a note or comment to an operation. I can see this being useful if you publish a receipt and you want to provide some clarity on why your doing a specific operations. An example would be why your using the "Drop Bytes" operation.

This could be represented by icon on the operation and then displayed with a mouse over event.

Thanks,

Superhac

Hi :)

I'm French developer and because we develop in English, we often need to translate french words to english to create variables or anything.

It would be great to have a translation operation in CyberChef 👍

For example to create a slug url from french sentence :
Input text : "Ma page d'accueil"
Translate operation (FR -> EN) : "My homepage"
To lowercase : "my homepage"
Regex to replace whitespaces : "my-homepage"
Tadaaa 🏌️‍♂️

Hi,
It looks like it's not possible to use the output of an action as a parameter (ex: a key) in another action. Am I right? If yes, that could be an interesting feature so one could chain operations like using a key derivation function to generate the key used to encrypt an input).
Thanks.

It's likely worthwhile to keep the live demo inline with the master branch.

Based off of some quick research, the preferred mechanism seems to leverage travis-ci

Links:
https://gist.github.com/domenic/ec8b0fc8ab45f39403dd
https://github.com/steveklabnik/automatically_update_github_pages_with_travis_example

Request summary

Development of Unicode support for the Strings operation. Currently the Strings operation can only detect strings matching the following regular expression: [A-Z\\d/\\-:.,_$%'\"()<>= !\\[\\]{}@].

It should also be able to detect strings that have been encoded in UTF-16 and (ideally) other Unicode formats. This support should be toggle-able via an argument.

Example input and output

The following recipe should match against the word "Test": https://gchq.github.io/CyberChef/?recipe=%5B%7B%22op%22%3A%22Text%20encoding%22%2C%22args%22%3A%5B%22UTF8%22%2C%22UTF16%22%5D%7D%2C%7B%22op%22%3A%22Strings%22%2C%22args%22%3A%5B%223%22%2Cfalse%5D%7D%5D&input=VGVzdA

Could you please add the input/output scheme parameter thats in the regular XOR operation to the XOR Brute Force operation.

Thanks!

When bug happends, the tooltip popup stays shown, and you have to reload the page to make it dissapear.

How to reproduce bug

1. Focus search bar
2. Hover over an operation
3. Type something in the searchbar, thile still hovering over an operation
4. Move the mouse away, and the popup will stay open.

The time taken to run PBKDF2 is scales non-linearly with iterations. This is due to the the underlying PBKDF2 algorithm in CryptoJS. This prevents the use of nice large iteration counts as it recommended for this algorithm.

Benchmark showing problem
SJCL has a better implementation. Alternatively CryptoJS could be fixed.

JSON Beautify and JSON Minify code tidy operations yield an error message when the input box is empty.

Steps to reproduce the issue (please be as specific as possible)

1. Visit https://gchq.github.io/CyberChef
2. Expand the code tidy operations
3. Double click on the JSON Beautify or JSON Minify code tidy operations

Expected behavior

It should add the operation to the recipe box without error, similar to the other operations.

Actual behavior

The following error message is displayed:

• Operating system (Mac OS X Yosemite 10.10.5)
• Web browser and version (Chrome 55.0.2883.75 (64-bit))
• Date, specific time and time zone when issue was found (Friday, December 2, 2016 8:28a UTC)

eg:

css/lib/bootstrap3.min.css
html/index.html
js/config/Categories.js

Your source code directories should be chosen by feature, not filetype. This keeps style, markup and code together when navigating your codebase.

There's no need to add extra redundant file type information to your paths, we already know it's a js file because the path ends with js. You can use **/*.js to select them in scripts.

Request summary

Development of operations to Tar and Untar input data.

Example input and output

Untar
Input: Test.tar.txt
Output: Should list both filenames and the file contents. Similar output to the Unzip operation.

Resources

https://en.wikipedia.org/wiki/Tar_(computing)

Request summary

Development of an operation to carry out Bzip2 compression. CyberChef already supports Bzip2 decompression thanks to the bzip2.js library (code).

Resources

https://en.wikipedia.org/wiki/Bzip2
http://www.bzip.org/downloads.html
http://www.bzip.org/1.0.5/bzip2-manual-1.0.5.html

I noticed that the package.json file has no external dependencies at all (except for dev). This seems like a bad idea as it results in the planned obsolescence and excessive bundling highlighted in #2. I'd like to add features that depend on npm packages, but before I do so, I want to know if there is some specific policy about not using external dependencies or whether I should import stuff manually.

I was expecting this tool to be available for offline use when clicking on download button. But it doesn't respond.

HTML-encoded astral Unicode symbols are incorrectly decoded.

E.g. 𝌆 becomes 팆 instead of 𝌆.

https://gchq.github.io/CyberChef/?recipe=%5B%7B"op"%3A"From%20HTML%20Entity"%2C"args"%3A%5B%5D%7D%5D&input=Zm9vICYjeDFEMzA2OyBiYXI

Perhaps you could use https://github.com/mathiasbynens/he for HTML entity encoding/decoding.

Hi all, there's a small XSS bug in your tool that you might wanna fix:

PoC:

https://gchq.github.io/CyberChef/?recipe=[{"op"%3A"XOR"%2C"args"%3A[{"option"%3A"He<iframe onload%3Dalert`1`>x"%2C"string"%3A""}%2Cfalse%2Cfalse]}]

The problem seems to be located in the method HTMLApp.prototype.set_recipe_config:

Affected Source:

[...]
        for (var j = 0; j < args.length; j++) {
            if (args[j].getAttribute("type") == "checkbox") {
                // checkbox
                args[j].checked = recipe_config[i].args[j];
            } else if (args[j].classList.contains("toggle-string")) {
                // toggle_string
                args[j].value = recipe_config[i].args[j].string;
                args[j].previousSibling.children[0].innerHTML = recipe_config[i].args[j].option +
                    " <span class='caret'></span>";
            } else {
                // all others
                args[j].value = recipe_config[i].args[j];
            }
        }
[...]

The recipe JSON from location.search is parsed correctly yet not sanitized before user input hits the recipe list's innerHTML property. It might make sense to sanitize those using DOMPurify or comparable tools.

Note: this attack can even be persisted by using the reflected XSS to modify the content of the localStorage container.

The attacker would simply add another HTML injection into the object favourites and thereby make sure, that the injected JavaScript executes next time the user re-opens CyberChef. After one successful injection and execution, the localStorage object has to be modified again to persist the attack.

PoC for persistence:

1. Click this link
2. Open CyberChef w/o parameters

Neither of these operations perform as I would expect.
Unique does not delete a duplicate.
HTML Strip removes all text between angle brackets and not just valid HTML tags.

Astral Unicode symbols such as 𝌆 are incorrectly encoded as two separate entities (one for each surrogate half).

E.g. 𝌆 becomes �� instead of &119558; or 𝌆.

https://gchq.github.io/CyberChef/?recipe=%5B%7B"op"%3A"To%20HTML%20Entity"%2C"args"%3A%5Bfalse%2C"Named%20entities%20where%20possible"%5D%7D%5D&input=Zm9vIPCdjIYgYmFy

Perhaps you could use https://github.com/mathiasbynens/he for HTML entity encoding/decoding.

Currently all 3rd party code is stored in https://github.com/gchq/CyberChef/tree/master/src/js/lib

It would be much easier to manage updates to these packages if they were declared in your package.json and installed via yarn install https://yarnpkg.com/

With the setting "Update the URL when the input or recipe changes" turned on (the default), each update of the URL results in Chrome 54.0.2840.99m on Win10 rerequesting the favicon.

As a result, user input including parameters supplied to operations such as cryptographic keys are disclosed to the server via URL parameters in the Referer header. This is inconsistent with the feature statement "it should be noted that none of your input or recipe configuration is ever sent to the CyberChef web server". Worth noting to paranoid users that the web server in this instance belongs to GitHub, not to the GCHQ.

Perhaps these parameters could be moved into client-side hash parameters or this setting turned off by default and a warning provided when turned on?

All the other encrypt/decrypt pairs appear to work except for the AESEncrypt->AESDecrypt. If you AESEncrypt a string with any key, AESDecrypt does not output that same string with the same key. In fact, it doesn't seem to output anything.

To allow for quick parsing of senders from a domain in an email list, can a delete action be added to the Split Operation's "Split delimiter" where any characters trailing the "Join delimiter" are removed? Currently, this is being performed by a bulkier Excel "Text to Columns" delimited on "@".

For example (Note: ";" used in place of '\n\r'):

Join delimiter - @
Split delimiter - Deletes trailing
Input - [email protected];[email protected];[email protected]
Output - sender1;sender2;sender3

Thanks for the consideration.

Re Issue #45 that was closed. It still seems broken on my iPad running ios 9 with Chrome. I sleuthed where the breakage seemed to be. It works at this commit:

https://cdn.rawgit.com/gchq/CyberChef/a4c9bb890746cbea09de1b775f64b21577c59362/cyberchef.htm

and fails at the next commit:

https://cdn.rawgit.com/gchq/CyberChef/7bcf560ff15ba59379b7af14b98498b5b5a924d7/cyberchef.htm

The only change at that commit is the switch from jsHint to EsLint so I think it must be something esLint is doing or maybe the order files are being packaged and maybe two functions with the same name but different load orders -- just theories.

JS unescape() decodes hex values prepended with "%". It would be nice to have.

Hello, thanks to all contributors working on this project.
I would like to request the addition of base58 en/decoding, which is used for human-friendly encoding in cases like bitcoin addresses, etc.

Cheers!

It is a feature request. It would be great to have GPG based (d)encryption that processes texts, either by encrypting (with a public key) or dencrypting messages (with a private key).

Ref: https://github.com/blog/273-github-ribbons

just adding ToHex + FromHexDump after eachother should return the input as it forms an identity function. In CyberChef it returns the input without the last character.

Example: 'hello' -> 'hell'

It would be really cool to allow multiple input/output windows, and assign various recipes to them.

As a simple example, I want to be able to:

• Paste some base64'd, urlencoded, htmlencoded data into the input
• Apply the various recipe's to get this to plaintext (bonus points if each recipe has an optional 'display data' step so I can see each one as it goes)
• Be able to modify the decoded plaintext
• Build up a list of encoders to get it back to it's original encoded state (htmlencode, then urlencode, then base64)

As a pentester, this would be really useful when wanting to mess around with data then stick it back into a request.

Obviously the current workaround to this is to have 2 CyberChef tabs open (one for decoding, one for encoding), and then copy between them.

Can we have a dark theme please?

yarn add --dev eslint

Hello,

It's probably something I'm doing wrong, but I'm trying to get this to work with Apache and CentOS 7.

/var/www/CyberChef/build/prod/
total 232
drwxr-sr-x 3 root apache   4096 Dec  3 22:44 .
drwxr-sr-x 4 root apache   4096 Dec  3 22:44 ..
-rw-r--r-- 1 root apache  28005 Dec  3 22:44 cyberchef.htm
-rwxr-xr-x 1 root apache   1800 Dec  3 22:44 .htaccess
drwxr-sr-x 2 root apache   4096 Dec  3 22:44 images
-rw-r--r-- 1 root apache  28069 Dec  3 22:44 index.html
-rw-r--r-- 1 root apache 162961 Dec  3 22:44 styles.css

<VirtualHost *:80>
    ServerName cyberchef.outsideit.net
    ServerAlias cyberchef.outsideit.net
    DirectoryIndex index.html
    DocumentRoot /var/www/CyberChef/build/prod/
    LogLevel warn
    ErrorLog /var/log/httpd/error_http.log
    CustomLog /var/log/access_http.log combined
</VirtualHost>

The results look like this in http://cyberchef.outsideit.net/

The Operations column isn't shown and the buttons don't seem to work. Any advice to get this working is very much appreciated.

Willem

Would be cool to be able to have an ingredient which can do XPath queries

Request summary

Development of operations to convert data to and from the BCD format.

Arguments

• Option to specify that the output be uncompressed or packed

Example input and output

Resources

https://en.wikipedia.org/wiki/Binary-coded_decimal

Optional extensions

Add the capability to support different types of BCD encoding as specified in the Wikipedia entry or elsewhere.