LIVE NEWSROOM · --:-- · May 15, 2026
A LIBRARY FOR SECURITY RESEARCHERS

TOOLS  /  ENCODE / DECODE

Encoder & Decoder

Base64, hex, URL, HTML entity, ROT13, binary, UTF-8 — paste once, see all conversions at once. Runs locally in your browser.

    What it does

    Reverse engineers and SOC analysts spend a surprising amount of time encoding and decoding. Attackers Base64-encode payloads to evade detection. Web apps URL-encode parameters in ways that hide intent. Malware uses ROT13 or hex to obfuscate strings. Our encoder/decoder runs all six common encodings simultaneously as you type — paste any input and see Base64, hex, URL-encoded, HTML-encoded, ROT13, and binary versions instantly. Two decode buttons go the other way: paste encoded data and convert back to plain text.

    How to use it

    1. Type or paste any text in the input box.
    2. All 6 encodings update live below.
    3. To decode something already encoded: paste it and click "Decode From Base64" or "Decode From Hex".
    4. Click any output cell to copy it to your clipboard.
    5. Cleared input by clicking "Clear".

    Common use cases

    Malware string-decoding During reverse engineering, paste suspicious Base64 strings extracted from malware samples to reveal the underlying command or IOC.
    XSS / SQLi payload analysis Web-app pen testers convert payloads between URL-encoded and plain forms to bypass WAF filters.
    Phishing payload extraction Phishing kits often Base64-encode the exfil URL. Decode it to identify the attacker’s collection server.
    Debugging API integrations When an API expects Base64 payloads, encode test data here and inspect the result before sending.

    Frequently asked questions

    Is the data sent anywhere? +
    No. All conversions are pure JavaScript — runs entirely in your browser tab. Network traffic is zero.
    Why does Base64 add padding (=)? +
    Base64 encodes 3 bytes as 4 characters. When the input length isn’t a multiple of 3, padding chars (=) are added to fill out the final group.
    What is ROT13? +
    A simple substitution cipher rotating each letter by 13 positions. Common in old-school internet contexts to "hide" spoilers. Apply it twice to get the original back.
    Why are non-ASCII characters in binary so long? +
    UTF-8 encoding — each Unicode codepoint takes 1–4 bytes (8–32 bits) depending on its range. Emoji often take 4 bytes = 32 bits.
    Can I encode/decode entire files? +
    Use the Hash Generator for files. This tool is text-oriented; large file conversions hit browser memory limits.

    Related tools

    Related coverage on Ciphers Security

    Free for everyone, no signup required. Tool runs at /tools/encoder-decoder/ — bookmark or share.

    Scroll to Top