Hackvertor explained

I’ve been busy…real busy on Hackvertor πŸ™‚ so I thought it might be a good idea to explain the ideas behind it. Please note Hackvertor is currently only tested under Firefox. I may support other browsers in future.

What is it?

It’s many things: a conversion utility, browser hacking platform, targeted fuzzing tool, XSS filter testing tool and the list goes on. I developed it because I wanted to incorporate my style of web site testing and instead of using scripts I’ve had all over the place I wanted one platform to perform all my testing.

How do you use it?

The system works with sets of categorised tags which magically perform conversions and character replacement. The idea is you feed it content and tell it to replace parts of the content with stuff that is difficult to convert without running several conversion routines on or manually coding the javascript. Take the following for example {hex}{dec}test{/dec}{/hex}, that example are the required tags in Hackvertor to perform HTML decimal encoding on “test” followed by hexadecimal entity encoding. You place the required text in the input window, select it and then click the required tags. Once that’s complete you simply click convert to perform the operation.

Why use it?

There are so many combinations of characters, XSS combinations and encodings that filtering those out using PHP or other server side languages can prove a impossible task. Perhaps you want to create some random character fuzzing, null entity checking or simply want a random password generator.

The features

Nested tags are now performed from inner most tag outwards, which enables correct encoding and conversion of multiple tags. Multiple lines are also now supported. Here is the current list of tags supported (these can change):-


base64:Encodes the string as a base64 encoded string.
bin:Converts a number to binary
dec:Converts to decimal html entities
hex:Converts to hexadecimal html entities
hex2rgb:Converts a HTML colour to rgb
uni:Creates a unicode string
oct:Converts the string to octal
enc:Performs url encoding on the string
realenc:Performs a more comprehensive url encoding, which allows “abc” characters to be encoded for example.
htmlent:Converts to standard html entities


d_base64:Decodes the string from base64
d_bin:Converts binary to decimal
d_dec:Decodes decimal html entities into a string
d_hex:Decodes hexadecimal html entities into a string
d_uni:Converts a unicode string into text
d_oct:Converts a octal string into text
d_enc:Escapes a urlencoded string
d_realenc:A pointer to d_enc performs the same operation
d_htmlent:Decodes html entities

Filter evasion

javachar:Converts a string into a LiveConnect supported java string
concat:Creates a string concatentation of whatever you supply, useful for evading filters which don’t allow javascript: for example
eval:This creates a eval function call without directly specifying eval, it accepts the string inside the tags as input. Useful for constructing obscured eval operations.
tag:Creates a random javascript execution point using a html tag
charcode2str:Converts a standard character code into a string
str2charcode: Does the opposite of above


2hex:Converts a number to standard hex
2oct:Converts a number to standard octal


squote:Encloses single quotes around your payload
dquote:Encloses double quotes
bticks:Encloses back ticks, added for fuzzing purposes


randchars:Create a random selection of unicode characters. You can specify the amount using the following: {randchars}10{/randchars} which will produce 10 random characters
randnum:Random numbers, the same method can be used above
randletters:Random letters
randletternums:Random letters and numbers
nullents:Produces a random null entity


md4:Creates a md4 hash of the string
md5:Creates a md5 hash of the string
sha1:Creates a sha1 hash of the string


ucfirst:Makes the first character uppercase
upper:Makes all characters uppercase
lower:Makes all characters lowercase
mixed:Randomly chooses upper or lower case

10 Responses to “Hackvertor explained”

  1. Gareth Heyes writes:

    Damn found a slight bug with nested tags, you can’t specify the same tag twice within multiple sets. Separate sets work fine though.

  2. Ronald writes:

    Wow! πŸ˜€ awesome Gareth!

    Small question though: I can’t seem to get the Hackvertor to work in Opera, but I get that quite often, any ideas?

  3. Gareth Heyes writes:

    Thanks Ronald πŸ™‚

    Yeah it seems there’s a small bug in the regular expression on Opera, for some reason Opera doesn’t like it. I’ll fix it as soon as I find out what’s causing it.

  4. Gareth Heyes writes:

    I’ve narrowed down the Opera problems
    1. Opera doesn’t seem to like you reading the document object. I can workaround this but the document won’t be traversable under Opera.

    2. It doesn’t like my Regular expressions πŸ™
    output = ‘{hex}test{/hex}’
    regexpString = ‘{(hex)}([^]*?){\/(hex)}’;
    // Doesn’t like the { in the exp
    var re = new RegExp(regexpString);
    var matches = ”;
    r = re.exec(output);

    Any JS reg exp experts in the house willing to suggest something? I’ve tried escaping the “{” and using a character class instead but still no joy.

  5. Gareth Heyes writes:

    Fixed it! Whoo hoo πŸ˜€

    Done a rewrite of the regular expressions and changed the tag placeholders to make it work in Opera. The document object is now ignore if you’re on Opera.

  6. Ronald writes:


    What are the changes? modified or dropped stuff?

  7. Gareth Heyes writes:

    Not dropped anything just changed the default tags. Opera will now ignore the document object but the others will traverse it correctly πŸ˜€

  8. Gareth Heyes writes:

    Added a real time conversion feature now πŸ™‚

    Video here:-

  9. thorin writes:

    Wow megafileupload really needs to hire a UI designer.

    The countdown on the Download button totally doesn’t show up or draw attention enough. I reloaded the page like 3 or 4 times before I realized that it wasn’t an embedded object and saw the countdown.

  10. Gareth Heyes writes:

    Yeah sorry about that Thorin, I’d host the video myself but I don’t want to risk excessive bandwidth charges.

    On another note I’ve started to add XSS tags to Hackvertor πŸ˜€ I’ve decided to incorporate all my security testing including XSS, SQL injection and remote file includes etc, if anyone wants to suggest any vectors that I miss then please do.