EN
ENNA

Getting Started Guide

How to Install and Use CyberChef

This guide covers accessing CyberChef, building transformation recipes, and using it for common security analysis tasks like decoding, decryption, and data extraction.

Prerequisites

  • -A web browser (that's it - CyberChef runs entirely in the browser)
Official Documentation
1

Access CyberChef

CyberChef runs in your browser. Use the hosted version or run it locally for sensitive data.

Hosted version

# Visit https://gchq.github.io/CyberChef/

Run locally with Docker

docker run -d -p 8000:8000 ghcr.io/gchq/cyberchef:latest
# Then visit http://localhost:8000

Note: CyberChef runs entirely client-side - no data is sent to any server, even on the hosted version. But for sensitive investigation data, running locally is best practice.

2

Your First Recipe

CyberChef works by chaining operations into a 'recipe'. Paste input on the left, drag operations into the recipe area, see output on the right.

Decode Base64

# 1. Paste Base64 text in the Input box
# 2. Search for 'From Base64' in the Operations panel
# 3. Drag it into the Recipe area
# 4. Output appears automatically

# Try it: paste 'SGVsbG8gV29ybGQ=' and apply From Base64
3

Chain Multiple Operations

The real power is chaining operations. Data flows through each step in order.

Base64 then hex decode

# Recipe:
# 1. From Base64
# 2. From Hex

# URL decode then Base64 decode:
# 1. URL Decode
# 2. From Base64

Extract and decode

# Recipe for extracting URLs from encoded data:
# 1. From Base64
# 2. Extract URLs

Note: Drag operations to reorder them. Each operation transforms the output of the previous one. You can disable individual steps by clicking the checkbox to debug your recipe.

4

Common Security Recipes

Recipes you'll use regularly in security work.

Decode XOR-encoded malware string

# 1. From Hex
# 2. XOR (set the key)
# Output: decoded string

Analyze JWT token

# 1. Paste the JWT
# 2. JWT Decode
# Shows header, payload, and signature

Hash identification

# 1. Paste a hash
# 2. Analyse hash
# Suggests the hash type

Extract IOCs from a report

# 1. Paste text
# 2. Extract IP addresses
# 3. Sort
# 4. Unique
5

The Magic Button

CyberChef's Magic operation automatically detects encoding and suggests transformations. It's surprisingly good.

Auto-detect encoding

# 1. Paste encoded/encrypted data in Input
# 2. Search for 'Magic' in Operations
# 3. Drag it into Recipe
# 4. CyberChef suggests what encoding it is and how to decode it

Note: Magic works by trying common transformations and checking if the output looks like readable text. It can chain multiple steps automatically - sometimes revealing Base64-within-URL-encoding-within-hex patterns you wouldn't spot manually.

Back to CyberChefFull Documentation