URL Encoding and Decoding for Security
URL encoding replaces unsafe characters with % followed by two hex digits. A space becomes %20, a forward slash becomes %2F. Attackers abuse this to sneak payloads past WAFs and input filters, especially through double or triple encoding where %25 becomes the encoded form of % itself.
Try it now
Encoder / Decoder
Runs in your browser, nothing leaves your device.
A WAF might block `../` in a path traversal attempt. But if you encode it as `%2e%2e%2f`, some servers decode it after the WAF check. Double encoding goes further: `%252e%252e%252f` decodes to `%2e%2e%2f` which decodes again to `../`. This technique bypasses security filters that only decode once.
SQL injection through URL parameters often uses encoding to evade detection: `' OR 1=1--` becomes `%27%20OR%201%3D1--`. XSS payloads hide script tags: `<script>` as `%3Cscript%3E`. When investigating suspicious URLs, always fully decode them before analysis.
Examples
Double-encoded path traversal
%252e%252e%252fpasswd
../passwd
Encoded XSS payload
%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
<script>alert(document.cookie)</script>
Security context
Always fully decode URLs before making security decisions. A single decoding pass is not enough if the attacker used double or triple encoding. Decode repeatedly until the output stops changing.
Frequently asked
Double encoding means encoding an already-encoded string. The % character itself becomes %25, so %2F (slash) becomes %252F. Some servers and proxies decode URLs at different stages, which can let double-encoded payloads slip through security filters.
Decode the full URL and compare it to the encoded version. Look for %25 sequences (double encoding), unusual characters in path segments, and known attack patterns like ../ or script tags hiding behind encoding.
Go deeper
Continue in the Web Security Academy
Related techniques
Base64 Decoding
How to decode Base64-encoded payloads found in malware, phishing kits, and obfuscated scripts. Detect hidden URLs, credentials, and executable code.
HTML Entity Encoding in XSS and Phishing
Decode HTML entities used to obfuscate XSS payloads, phishing page content, and malicious scripts embedded in web pages.
Detecting Phishing URLs: Indicators and Techniques
Analyze URLs for phishing indicators: typosquatting, homoglyph attacks, suspicious subdomains, URL shortener abuse, and credential harvesting parameters.