~/toolsbase64-decode

Base64 Decode & Encode

Paste Base64 to decode it, or type text to encode. Everything runs in your browser.

base64-decode Local · sem envio
  1. Paste your Base64 string into the input box, or type plain text to encode.
  2. The tool auto-detects standard and URL-safe Base64 and decodes it instantly.
  3. Switch between Decode and Encode with the toggle above the box.
  4. Copy the result with one click - nothing is ever uploaded.

Base64 is one of the most common encodings you will meet in security work. It takes raw bytes and represents them using just 64 printable characters - the uppercase and lowercase letters, the digits 0 to 9, and the two symbols + and /. Because the output is plain text, Base64 lets binary data travel safely through channels that were only ever designed for text: email bodies, JSON payloads, HTTP headers, cookies, and URLs. This decoder and encoder runs entirely in your browser, so you can inspect tokens and payloads without sending anything to a server.

Base64 is encoding, not encryption

The single most important thing to understand is that Base64 provides no security whatsoever. There is no key and no secret - the transformation is completely reversible by anyone. When you find a long Base64 blob inside a cookie, an API token, a configuration file, or a hidden form field, decoding it is often the fastest way to reveal what an application is really storing. Developers frequently reach for Base64 to "hide" a value, and that habit hands attackers useful information for free. Treat any Base64 string as fully readable.

How to recognise Base64

A Base64 string is a continuous run of letters, digits, + and /. Its length is usually a multiple of four, and it may end in one or two = characters used as padding. A popular variant called URL-safe Base64 swaps + for - and / for _ so the value can sit inside a URL or filename without extra escaping - JSON Web Tokens use exactly this variant. This tool detects both forms automatically, so you can paste either and get the decoded result.

Where Base64 shows up in hacking

In web testing you will see Base64 in session cookies, CSRF tokens, "remember me" values, and the header and payload of JWTs. In CTF challenges, a chain of encodings - Base64, then hex, then a cipher - is a classic puzzle, and being able to peel back each layer quickly is a real advantage. In forensics and malware analysis, encoded blobs often hide a second-stage script or a command-and-control address that becomes obvious the moment you decode it. Encoding text back into Base64 is just as useful when you are crafting input to test how an application handles it.

A quick example

The text hacker encodes to aGFja2Vy. Decode SGFja2VyRE5B and you get HackerDNA. Notice how a short, innocent-looking string can hide a readable message - that is the whole point, and the reason decoding is a reflex skill for anyone doing security work. Once you are comfortable spotting and reversing Base64, the next step is to use it against a real target in a controlled lab, where recognising an encoded token is often the first move in a full attack chain.

Perguntas frequentes

What is Base64?
Base64 is an encoding scheme that represents binary data as 64 printable ASCII characters (A-Z, a-z, 0-9, + and /). It is used to carry binary safely through text-only channels like URLs, emails, JSON, and HTTP headers. It is NOT encryption - anyone can decode it.
Is Base64 secure or encrypted?
No. Base64 is reversible with no key, so it provides zero confidentiality. Finding Base64 in a token, cookie, or config often means a value was merely obfuscated, not protected - decode it to see the real data.
Does my data get uploaded?
No. This tool decodes and encodes entirely in your browser with JavaScript. Nothing you paste is sent to HackerDNA or any server.
How do I recognise Base64?
Look for a run of letters, digits, + and / that is often a multiple of 4 characters long and may end in one or two = padding characters. URL-safe Base64 swaps + and / for - and _.
What is URL-safe Base64?
A variant that replaces + with - and / with _ so the value can sit in a URL or filename without escaping. This tool auto-detects and decodes both standard and URL-safe input.

Pratique de verdade

Pratique em alvos reais

Transforme essas ferramentas em habilidades com labs práticos e cursos guiados na HackerDNA.

Criar uma conta gratuita
15.000+ Hackers 100+ Labs & Cursos Grátis
Comece Grátis