A virtual teacher who reveals to you the great secrets of Base64

Base64URL

Comments: 23 | Rating: 4.8/5

Base64URL is a modification of the main Base64 standard, the purpose of which is the ability to use the encoding result as filename or URL address. The Base64URL is described in RFC 4648 § 5, where it is mentioned that the standard Base64 alphabet contains invalid characters for URLs and filenames.

The first problem is that the main standard uses “+” as the 62rd character and “=” as padding character. Both characters have a special meaning in the URI address: “+” is interpreted as space, while “=” is used to send data via query string as “key=value” pair. As you understand, using these symbols may lead to various errors.

The second problem — the main standard uses “/” as the 63rd character, which both for URL addresses and for file system locations, represents the directory separator. Therefore in this case errors are guaranteed.

To avoid the errors above, it was proposed to use a “safe alphabet” for URL addresses and filenames. Thus, the Base64URL was born. It uses the same algorithm as the main standard, but differs in the following:

  • Replaces “+” by “-” (minus)
  • Replaces “/” by “_” (underline)
  • Does not require a padding character
  • Forbids line separators

For example, the main standard will encode <<???>> to PDw/Pz8+Pg== while Base64URL will convert it to PDw_Pz8-Pg. As you can see, only special characters have been changed, while the letters and digits have remained intact.

If you want to see it in action, check the following tools:

This page would be incomplete without Base64URL characters table. So, meet it:

Uppercase Letters
IndexCharacter
0A
1B
2C
3D
4E
5F
6G
7H
8I
9J
10K
11L
12M
13N
14O
15P
16Q
17R
18S
19T
20U
21V
22W
23X
24Y
25Z
Lowercase Letters
IndexCharacter
26a
27b
28c
29d
30e
31f
32g
33h
34i
35j
36k
37l
38m
39n
40o
41p
42q
43r
44s
45t
46u
47v
48w
49x
50y
51z
Digits
IndexCharacter
520
531
542
553
564
575
586
597
608
619
Symbols
IndexCharacter
62-
63_

Given all of the above, a Base64URL value can be defined using the following regular expression:

^[A-Za-z0-9_-]+$

I would also like to provide some additional links:

Comments (23)

I hope you enjoy this discussion. In any case, I ask you to join it.

  • Faizul,
    I want to decode some string that I received from app sniffing.

    I will be pleased if you help me to decode such following code:

    abG9nb191cmw=, maHR0cDovLzUxLjE1LjIwOS45MDo4ODAwL2RhdGEvaW1nL2ZpbGVzLzU2NjU5X2FzcG9yLmpwZw==

    Please let me know how to decode the above-mentioned characters.

    Thanks
    reply
    • Zaidan,
      Found one kinda look like that while reversing android apk, thought it was Base64 but turns out it was AES256 encryption.
      So that might be AES256
      reply
  • DavidSpector,
    This is a great standard, and one that is overdue. But those responsible for JavaScript and PHP (at least), need to add it to their languages so programmers can learn about this and use it directly.
    reply
    • cs32,
      @DavidSpector, it would be convenient to have built-in base64url methods in PHP / JS, but, frankly, implementing them is very trivial:

      PHP:
      php
      function base64url($str) {
          return str_replace(['+','/','='], ['-','_',''], base64_encode($str));
      }
      // decode base64url encoded data
      function unbase64url($str) {
          return base64_decode(str_replace(['-','_'], ['+','/'], $str));
      }


      JS:
      js
      function base64url(str) {
          return btoa(str).replace(/=+$/,'').replace(/\+/g,'-').replace(/\//g,'_');
      }
      function unbase64url(str) {
          return atob(str.replace(/-/g,'+').replace(/_/g,'/'));
      }
      reply
      • Slay,
        @cs32,
        it's was wrong:

        // decode base64url encoded data
        function unbase64url($str) {
            return base64_decode(str_replace(['-','_'], ['+','/'], $str));



        so is correct:

        function unbase64url($str) {
            return base64_decode(str_replace(['-','_'], ['+','/'], base64_decode($str));
        }
        reply
  • Dominik,
    Thanks for the article, clear and understandable. My only question is what exactly do you mean by "Does not require a padding character"? So it means that in some cases it is allowed to use it? When is it allowed and when is it not? It'd be great to extend that section.
    reply
  • Newton,
    We wish to thank you just as before for the lovely ideas you gave Jeremy
    when preparing her own post-graduate research in addition to, most importantly,
    regarding providing all the ideas in a single blog post.
    If we had been aware of your web page a year ago, we will have been kept from
    the needless measures we were implementing. Thanks to you.
    toys for adults
    reply
  • nqhXncMU,
    -5 OR 998=(SELECT 998 FROM PG_SLEEP(15))--
    reply
  • nqhXncMU,
    555'||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),15)||'
    reply
  • gBqsPxAZ,
    AgLz6K5O'; waitfor delay '0:0:15' --
    reply
  • gBqsPxAZ,
    (select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/
    reply
  • gBqsPxAZ,
    555'||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),15)||'
    reply
  • nqhXncMU,
    lvij0vd8'; waitfor delay '0:0:15' --
    reply
  • nqhXncMU,
    v0WuCun8' OR 718=(SELECT 718 FROM PG_SLEEP(15))--
    reply
  • nqhXncMU,
    0'XOR(if(now()=sysdate(),sleep(15),0))XOR'Z
    reply
  • ncMUFCMU,
    BJVuPLLk') OR 319=(SELECT 319 FROM PG_SLEEP(15))--
    reply
  • ncMUFCMU,
    555*DBMS_PIPE.RECEIVE_MESSAGE(CHR(99)||CHR(99)||CHR(99),15)
    reply
  • ncMUFCMU,
    if(now()=sysdate(),sleep(15),0)
    reply
  • ncMUFCMU,
    0"XOR(if(now()=sysdate(),sleep(15),0))XOR"Z
    reply
  • Tjpatel,
    I know some of the are base64 but when use that the other results are unknown
    so I want to decrypt them eyJ0eXBlIjoiU1NIIiwibmFtZSI6IlZQTjTEsEsgMSIsInNzaFR1bm5lbENvbmZpZyI6.
    eyJpbmplY3RDb25maWciOnsiZW5hYmxlZCI6dHJ1ZSwibW9kZSI6IlBST1hZIn19LCJlbmNyeXB0ZWRMb2NrZWRDb25maWciOiJGZkxqR3BNUG45MzIydlQxNjBGcFRiTnE1eEptY1pDdUdneERJcWxyaTlXOEhOV2kzZEMxQ1pkSU14MVoxYkNtM3hYUkx5Rk0yRWNtMWN0QlkyZ3VwWVZFQVZqV2ZmVC05dllicTdaNGhObUZiSjI4ZWNXTVk5WFo4RWVFRUt3Y2FGOTRzaDhWQWR6VV9pUjU2MmJjQndyR1VhcF83LUFXWVVJNEEteFZnbU5BalJwQjdWM0NvN0Jhd1lHUEw1V1VTUTdhTFdFazNGMnVwbTVONjZQaFdsdGlGRHZEM2VHeFNIMGN0VEtPMXNacDhaZHN4dEh5RDJINUVpbE9WMUx3Vk1JWm9Pc3hZUDA0aXkxUVMwVF94d1RyUmdVamc2OGZYdF9KaUU0NkNxVEs1NFBXWHVvZnI5UjcwN2N4b3JGT3habC10aDZMdnRQaTZoQ1RkV0hxcmxJOVJ5bktxMDFiVkZGQnBXUXplNlFVN05LWWRQWERFRFdsVTVPMlhZaUstX3hRZlVTLWNPVHZlcmhuVi0tVkdVZDdpWC0tWjB3bEg5LXF1dVpVQVA2dmxyc0x3WDg1OWRIZnhGS1Q3LUpneFc0MnVPamYtU096RHlCSGJUa1YwVFQxbUZXcWhuTWt0SzQtOTlJMGQ0a1JyeWlqek9yWTl2RTMxWUZhaEFnbGdzVXdoY2FpMkhzVnNxZG9jQXVaTll0bER4MFJkNGxfZXlSVWE1UjlCeWlHN3RRRDZObndCeUNFNnd1akNsaWNYYUxiMm9aQm1PelNpTkEwc29WZS0wcWFIMmlCUzBNZ3pQd2VtOWF6X2M3SzRYVGRLbkxzUkYxaUhvT2ozUHBFVHVubzBycjYtU3gxb200S0tmQ1FMS2NRdTlSemlEVnRvVVUyX3NwZ1JtX1lEdUU1WlpnOXFkYmhzZWlCWDU2WWxOaC1WUHIwVm5SYlRtOUQxUkNndF9WVmZIckhjMk1PcTFhQ19TMzVybTh1Q2JJUE1RVkZEWE9DaVlER0ZSMUZFUzZPZVVLN05GR0NzZU14UEtHemtOSUFmWFVHY3M4dDBrdEVvc2RwUTk5WjRBN0dkUXZ3cXVMSmJjYjR3VVozU0s5bGt5TzFhRXI0c3ZXMXlYVkZreFg3UzRxYklBZzZNbk43TTdCckFQMk54aEJGUElFcUZ0Y2hRbVIyWWUzSHhtZ3VjSmptdUthXzdIOXpKc0FweUlCcXY3SjRuUUFXcE9iSzVVWUdZVVJuUk5kZ2RObEJvTThEU3k0WWFjeVFoamRMZG9qUUNJVlB3UHVoZlVQNU9LTHE5ME5sdWFuel8wZnZvZUJ5UGptQTRoYk1WZmdUS29Td0ZDUkxYaHNQYjRvMDNaNTFHbHVWLUgwNjBESEk0ekNWWjl2M0JTQzFYRGFWeFMzWFVoSGwyRHNzOFdwTlZEMThDTUJhT2JDSkp6dmtNd055ZS1HNDBPcjlPc3BGclVUcmxiUVBUVjlnNE40eUczN1RhSkZMT3AyZnNnMXdxRWFaMElOWVpVVU0wX0RUVl9tZWpVVTNjZkx5alU3OVJmWi1ORW5VRGVvN1lEcmxQMXdqM3dVSHVQdjljZS1LamVwanAzWkRfV2VicmtpWXhBQjlYR3k5UFVfWHgwNWtjSWdPSjNtTWFENzFtWkRHYzViekI3TDItT0NMdDlZMm45Wml0dUkzWGdWSXAxbFFVN3BMNWdmU0FxaWl6QlUtUHMyUnByZ1JjYl9WWTlvWkxDa3lrekU9In0=
    reply
    • Someone,
      It is not b64, is is JWT
      reply
  • Pawel,
    Hi,

    Can anyone tell me what does +$ means in replace method:
    js
    function base64url(str) {
    return btoa(str).replace(/=+$/,'').replace(/\+/g,'-').replace(/\//g,'_');
    }
    ?
    reply
  • XcwJRDFY,
    ../../../../../../../../../../../../../../etc/passwd
    reply
Add new comment

If you have any questions, remarks, need help, or just like this page, please feel free to let me know by leaving a comment using the form bellow.
I will be happy to read every comment and, if necessary, I will do my best to respond as quickly as possible. Of course, spammers are welcome only as readers.

Recent blog posts