Decoder, Comparer & data tools

~6 min · decode · diff · helpers · Free

The short version. The Decoder chains transforms — Auto, URL, HTML, Base64, Hex, JSON, Protobuf — so you can peel a wrapped token apart and re-wrap it. The Comparer diffs two items side by side, in the GUI or via compare <id-a> <id-b>. And a set of data helpers — decoder, protobuf, body, graphql, idor — are scriptable from the CLI for the same work at the command line. All of this is Free.

01The utility belt

Most of a session is captured traffic, replay, and findings. The pieces here are the small tools you reach for in between: decode an opaque cookie, diff two near-identical responses to spot the one byte that changed, unpack a protobuf body, or list the numeric IDs in a request that look worth tampering with.

Two of them live in the sidebar under TOOLS — Decoder and Comparer. The rest are CLI-first data helpers (decoder, protobuf, body, graphql, idor) that operate on captured History rows or raw input, so they slot straight into scripts and agent loops. Protobuf and GraphQL also surface elsewhere: protobuf is a Decoder mode, and both appear as request views in Repeater (GraphQL / Raw / Headers / Params / Body).

Everything on this page is Free — no account, no telemetry, no Pro entitlement. The data helpers operate on data you already captured; nothing here sends new traffic to a target.

02Decoder — chained encode/decode

Open Decoder from the sidebar. Paste an input, pick a transform, and read the result. The point is chaining: a real token is rarely one layer. A session value might be URL-encoded around a Base64 blob that decodes to JSON — so you apply URL, then Base64, then JSON and watch it resolve step by step. The same modes run in reverse to re-encode after you tamper with the cleartext.

Mode	What it does
Auto	Best-effort: detects the likely encoding and decodes it, so you can start without knowing the layer.
URL	Percent-encoding (`%2F` ↔ `/`) — query strings, form fields, redirect params.
HTML	HTML entities (`<` ↔ `<`) — useful around reflected/stored XSS context.
Base64	Base64 ↔ raw bytes — JWT segments, opaque cookies, embedded blobs.
Hex	Hex ↔ bytes — binary fragments and hashes.
JSON	Parse / pretty-print JSON once you've peeled the outer encodings.
Protobuf	Decode a protobuf wire payload to readable fields — the same engine as the `protobuf` helper below.

From the command line, decoder does the equivalent and prints JSON to stdout, so you can decode a value mid-pipeline:

# decode an opaque value from the shell (output is JSON)
crusader decoder

# everything Crusader prints is JSON on stdout, errors to stderr

Auto is a guess, not an oracle — if a layer looks wrong, switch to the explicit mode for that step. Decoding is local and offline; nothing you paste leaves your machine.

03Comparer — diff two items

The Comparer puts two items side by side and highlights the differences. It's the fastest way to answer "what actually changed?" — two responses to the same request under two identities, a baseline versus a tampered reply, or one request before and after you flipped a flag. The signal you're hunting (an extra field, a different length, a leaked record) is usually one small delta in an otherwise identical body.

From the CLI, point compare at two History IDs and choose the layout:

# unified diff of two captured exchanges
crusader compare 1024 1031 --unified

# or a side-by-side view
crusader compare 1024 1031 --side-by-side

Grab the IDs from crusader history list (or the History screen). A common pairing: send the same request under two saved identities, then diff the two responses to surface an authorization drift before you commit to a finding.

04Protobuf & body helpers

Binary request bodies don't read in a plain Raw view. The protobuf helper turns a protobuf wire payload into readable fields and back again, so you can inspect a message, edit a value, and re-encode it for replay:

crusader protobuf decode # wire bytes → readable fields
crusader protobuf encode # edited fields → wire bytes

The same decode is available interactively as the Protobuf Decoder mode and as a request view in Repeater, so you can pick whichever surface fits the moment.

The body helper works on request/response bodies more generally — decode a body to something readable, re-encode after editing, or pull a body straight out of captured History by ID:

crusader body decode    # body → readable
crusader body encode    # readable → body
crusader body history   # operate on a captured body from History

05GraphQL helper

GraphQL traffic is awkward to read as raw JSON-in-a-POST. The graphql helper formats and works with GraphQL operations from the CLI, and the same handling appears as the GraphQL request view in Repeater so you can edit an operation before resending.

crusader graphql # work with a GraphQL operation (output is JSON)

For finding the GraphQL endpoints worth poking at in the first place, the Scanner covers GraphQL introspection and authz over already-captured traffic.

06IDOR candidate tools

The idor helpers surface the tamper-worthy identifiers in your captured traffic — the numeric IDs, UUIDs, and object references that sit in paths, queries, and bodies — and explain why a given one looks interesting. They read existing History; they don't probe a target.

crusader idor candidates  # list ID-shaped values worth tampering with
crusader idor scan        # scan captured traffic for IDOR candidates
crusader idor explain     # explain why a candidate was flagged

The same candidate list is reachable from the History screen as idor-candidates. Treat the output as a worklist: take a candidate into Repeater, swap the ID, and compare the responses.

These tools only identify candidates from traffic you already captured — confirming an IDOR means sending modified requests, which is intrusive. Only do that against systems you're authorized to test.

07CLI cheat sheet

Every command prints JSON to stdout (errors go to stderr with exit code 1), so all of these are safe to pipe in scripts and agent loops.

Command	Does
`decoder`	Encode/decode a value (URL, HTML, Base64, Hex, JSON, Protobuf).
`compare <id-a> <id-b>`	Diff two History items; `--unified` or `--side-by-side`.
`protobuf decode` / `encode`	Protobuf wire payload ↔ readable fields.
`body decode` / `encode` / `history`	Decode/encode a body, or operate on a captured body from History.
`graphql`	Work with a GraphQL operation.
`idor candidates` / `scan` / `explain`	List, scan for, and explain IDOR candidates in captured traffic.

For the full command surface — verbs, flags, and how to drive Crusader headless — see the CLI reference.

Repeater → Scanner → CLI reference →

Want a guide that isn't here yet? Email hello@crusaderproxy.com.