autoDecoder
December 14, 2025 · View on GitHub
I want to maintain this project with many use cases and interfaces. I hope everyone with encryption/decryption needs can communicate together to improve this project.
Target audience: Masters with some coding foundation, or those without foundation but willing to learn and tinker with automatic encryption/decryption.
For autoDecoder examples, please refer to autoDecoder-usages, which will be helpful for many who want to write interfaces themselves.
AutoDecoder English/Chinese Language Option
This project is primarily used in Chinese as the main language of the plugin. I've edited this project in both Chinese and English. The core code structure hasn't been changed.
https://github.com/f0ng/autoDecoder
English
Chinese
Plugin Compilation Command
mvn -DskipTests clean package
Do not casually modify the interface code template for obtaining parameters and return formats, otherwise garbled characters or inability to run normally may occur.
Communication Group
If the QR code expires, please add WeChat f-f0ng, note autoDecoder communication.
Follow the main WeChat official account (only security), reply autodecoder to get the download address]
Donation (If the project helps you, you can choose to donate some funds for the maintenance of subsequent versions of autoDecoder, this project is maintained long-term)
If you have problems, first check FAQ
Simple Flowchart
|
|
|
2025.12.14 update 0.57
- Modify the request header keywords to add support for built-in encryption and decryption
- Optimize the extension tab to adapt to the request header method with built-in encryption and decryption for decryption
- Add confirmation for encryption/decryption method selection when saving configurations
- Fixed the issue where the unknown version could not display the save configuration interface
- Optimize the arrangement of plugin buttons to prevent mixed usage
2025.11.19 Update 0.56
- Update the English version, thank you very much @secfb # 48
- Fix sm2 decryption issue # 47
- Add request body base64 automatic decoding, adapt encrypted content to binary data, thank you to WeChat group master @满溢
2025.7.24 Update 0.55
- Added matching for header in built-in encryption/decryption mode [including matching for GET request parameters]
2025.7.8 Update 0.54
- Fixed bug where built-in encryption/decryption requests and responses used different encryption/decryption methods
2025.4.3 Update 0.53
- Fixed newline bug [When writing debug module, unified return format, causing the number of newlines to be the same whether header is checked or not]
2024.12.30 Update 0.52 Happy New Year to everyone!
- Interface debugging module adds keyword substitution mode to prevent errors caused by keywords
- Interface mode encryption/decryption will echo errors, so you can know what specific problem caused the encryption/decryption to fail
When the return packet format is wrong
When the interface is not connected
You can also check error information on the Extensions page
2024.10.12 Update 0.51
- Fixed host matching issue in replacement module
- Optimized replacement module, added automatic unicode decoding mode, needs to be Literal mode, Replace needs to be
#unicode#, unicode encoded content in response packet will be automatically decoded
2024.9.24 Update 0.50
- Fixed sm4 encryption/decryption error
2024.5.5 Update 0.40
- Fixed sm4 encryption/decryption bug (base64)
- Added ciphertext keyword judgment for response body
2024.3.17 Update 0.39-beta1
- Fixed encryption bug (SM4 and AES)
2024.3.13 Update 0.39
- Fixed base64 encryption/decryption bug in SM4
- Fixed base64 decryption bug in AES/DES encryption
2024.2.2 Update 0.38
- Optimized SM4, SM2 encryption/decryption
- Optimized regular expression matching and replacement
2024.1.2 Update 0.37 First update of the new year, wish everyone a happy new year!
- Built-in encryption/decryption adds sm2, sm4 (CBC, ECB) encryption/decryption
- Regular expressions are saved to configuration file
2023.12.18 Update 0.36
- Fixed the problem that the replacement switch was selected by default
- Interface encryption/decryption debugging optimization
- Optimized header keyword judgment
2023.11.22 Update 0.35
- Added load configuration file and save configuration file module, subsequent use can load configuration according to the naming of the configuration file
- Added request and response replacement function, similar to burp's
Match and Replacemodule, added extraction module, configuration example as follows
Normal response
Modified response
2023.11.11 Update 0.34
- Added header keyword judgment
2023.10.23 Update 0.33
- Added automatic base64 decoding for response, when the response packet returns base64, it can be automatically decoded to prevent binary data packet corruption
- Added option saving and reading
2023.9.16 Update 0.32
- Optimized settings for plaintext keywords and ciphertext keywords
2023.9.5 Update 0.31
- In the domain name matching module, multi-domain matching is possible, fixed the problem that the extension tab could not be displayed under multiple domains in the original version
- Removed two newline characters in the interface debugging module
2023.7.6 Update 0.30
- In
Repeater, Intrudermodules, added right-click encryption and decryption, when the corresponding method is set, the body of the request can be encrypted and decrypted - Fixed the problem that
Send to Repeater, Send to Intruderwould not bring the port number
2023.5.22 Update 0.27
- autoDecoder extension tab adds right-click
Send to Repeater, Send to Intruder, and adds formatting, currently only supports json format
2023.5.17 Update 0.26
- Fixed the problem that request headers were missing after checking
Process request headers - Added ciphertext URL decoding reading and encrypted ciphertext URL decoding options
- Fixed other issues, such as extension tabs not appearing when specifying domain ports, Chinese decryption garbled on windows, etc.
Thanks to WeChat group yosel master for feedback
2023.4.25 Update 0.25
- Added binary request body and response body processing, the principle is to base64 encode the content of the request packet and pass it to the interface, you need to set burp as follows, otherwise the encoding obtained will be damaged
- You need to check User options->Character Sets
Use the platform default(UTF-8)[MAC], or checkDisplay as raw bytes[Windows]
- You need to check User options->Character Sets
2023.4.14 Update 0.24-beta2
- RSA encryption/decryption
- Response packet regular mode encryption/decryption
2023.4.12 Update 0.24-beta1
- Truncate key according to encryption method
- Fixed the problem that only selecting interface encryption/decryption could not perform encryption/decryption
2023.4.8 Update 0.24
- Optimized test interface data packet display
- Added zeropadding padding mode encryption
- Optimized base64 decoding problem
2023.2.22 Update 0.23
- Optimized some problems with the plugin
- Cases moved to autoDecoder-usages
2023.2.16 Update 0.22-beta1
- Optimized the problem of removing
\u0000when reading ciphertext - In the built-in algorithm, request packet encryption/decryption and response packet encryption/decryption are separated, you can select encryption algorithm
nullto indicate no encryption/decryption, return original data packet
2023.2.15 Update 0.22 Major update
-
Refactored UI page, the previous UI was too messy, spent some time refactoring the page UI

-
Added regular expression extraction for built-in algorithm encryption/decryption, effective when regular expression has content, for two situations:
- Only request encryption
- Encrypting username and password in brute force attacks
Configuration page
Original request
Real request
After decryption
-
Added debugging page when interface encryption/decryption, convenient for further code writing
Normal decryption request packet
Normal decryption response packet
Process request headers
2023.2.14 Update 0.21
- Added burp module button to prevent conflicts with requests generated by other modules (such as plugin Extender)
- Optimized plugin decryption reading ciphertext method, read after URL decoding
2023.1.5 Update 0.20
- Added
RSA decryptionan example - Optimized tab data packet settings, does not affect the data packet content of repeater itself
|
|
2022.9.7 Update 0.19
- Added different encryption algorithm buttons for request packet and response packet [Only for interface encryption/decryption mode], for request packet and response packet using different encryption algorithms (implementation method: when requesting decryption interface, pass parameter
requestorresponseat the same time, indicating request [request] or response [response])
- Modified ui, optimized the problem that
htmlcould not be parsed on the new version of bp
2022.5.18 Update 0.18
- Added
3DES encryption,AES encryption,JSON nested encryptionthree examples - When sending plaintext request, if the response packet selects the default tab, it has no effect; but when the response packet selects the extension tab, it will also decrypt, causing the response body in the request packet to report an error,
0.18fixes this problem: plaintext request, response packet only plaintext. - Added ciphertext keyword, if this keyword appears, do not encrypt, you can check the example json nested encryption
2022.5.15 Update 0.17
- Optimized Desede (3DES) encryption processing problem, 3DES encryption key is 24 bits, when input exceeds 24 bits, it will report key length error, the processing method is to truncate the key length
2022.5.11 Update 0.16
- Added response header processing, the incoming parameter is also
dataHeaders
# -*- coding:utf-8 -*-
# author:f0ngf0ng
from flask import Flask,Response,request
from pyDes import *
import base64
app = Flask(__name__)
@app.route('/encode',methods=["POST"])
def encrypt():
body = request.form.get('dataBody') # Get post parameter required
headers = request.form.get('dataHeaders') # Get post parameter optional
if headers != None: # Request header encryption enabled
headers = headers + "aaaa:bbbb\r\n"
headers = headers + "f0ng:test"
print(headers + "\r\n\r\n\r\n\r\n" + body)
return headers + "\r\n\r\n\r\n\r\n" + body # Return value is fixed format, cannot be changed
return body
@app.route('/decode',methods=["POST"]) # No decryption
def decrypt():
body = request.form.get('dataBody') # Get post parameter required
headers = request.form.get('dataHeaders') # Get post parameter optional
if headers != None: # Response header encryption enabled
print(headers + "\r\n\r\n\r\n\r\n" + body)
headers = headers + "yyyy:zzzz\r\n"
headers = headers + "f0ng:onlysecurity"
return headers + "\r\n\r\n\r\n\r\n" + body # Return value is fixed format, cannot be changed
return body
if __name__ == '__main__':
app.debug = True # Set debug mode, turn off debug in production mode
app.run(host="0.0.0.0",port="8888")
Original request response
Response after autoDecoder processing
- Fixed error when request body is empty
- Fixed the problem of adding an extra newline when keyword is empty
2022.5.7 Update 0.15
- Optimized port problem in setting domain, two modes:
① Only enter domain name, match domain name and any port number
Match all www.baidu.com:port number, such as www.baidu.com:8080, www.baidu.com:8088
② Enter domain name and port number, match unique domain name and port number host
Only match www.baidu.com:8080
2022.4.26 Update 0.14
- Added processing for the entire request packet, how to modify specifically, customized according to different personal needs, template file is
flasktestheader.py
Configuration as follows:
Original request packet, capture the entire request as follows, add additional request headers aaaa:bbbb, f0ng:test to the request packet
Actual request packet
- Added custom setting plaintext keyword, when the corresponding keyword appears in the request body, the data packet will not be processed, judged by
contains
2022.4.22 Update 0.13
- The processing of
\r\nrequest packets was not perfect, version 0.13 fixes this problem - Added case 1
login brute force ldap md5 encryption, case 2sql injection bypass sqlmap data packet newline problem, to better use the tool for penetration testing
0x01 Background
- When all data packets are ciphertext, we have no way to start; even if we obtain some key information about encryption/decryption, we can decrypt it, but we need to decrypt each data packet slowly, request packets need to decrypt, response packets also need to decrypt, quite troublesome
- Actually, taking the name auto is not really auto, the encryption/decryption algorithm still needs to be reversed by yourself, it's just semi-automatic relative to the ciphertext in the data packet
0x02 Advantages
- Plaintext send, plaintext response; ciphertext send, ciphertext response, without affecting the original communication packet, add a bp extension page to view plaintext information
- Custom encryption/decryption interface, when there is complex data encryption, you can write python code to encrypt/decrypt the interface, custom domain that needs encryption/decryption, ready to use
0x03 Plugin encryption/decryption method
- Directly use the plugin's built-in algorithm to encrypt/decrypt data packets (relatively simple, only supports some AES, DES, DESede encryption)
- Write api for encrypting/decrypting data packets through python's flask interface (not necessarily flask framework, you can also use other frameworks, as long as the interface address is correct and the encryption/decryption process is correct)
0x04 File introduction:
users.sqlis the database used for testingtestsql.phpis the page that encrypts request data, encrypts response data and has injectionflasktest.pyis the Python flask encryption/decryption interface written for the test file.
For detailed examples, please check the WeChat official account https://mp.weixin.qq.com/s/B-lBbVpJsPdCp1pjz2Rxdg
Decrypt through built-in encryption/decryption algorithm

Decrypt through flask interface

sqlmap encryption/decryption
