Encoding & Decoding · 1 min read

URL Encoding and Decoding for Security

URL encoding replaces unsafe characters with % followed by two hex digits. A space becomes %20, a forward slash becomes %2F. Attackers abuse this to sneak payloads past WAFs and input filters, especially through double or triple encoding where %25 becomes the encoded form of % itself.

Try it now

Encoder / Decoder

Runs in your browser, nothing leaves your device.

A WAF might block `../` in a path traversal attempt. But if you encode it as `%2e%2e%2f`, some servers decode it after the WAF check. Double encoding goes further: `%252e%252e%252f` decodes to `%2e%2e%2f` which decodes again to `../`. This technique bypasses security filters that only decode once.

SQL injection through URL parameters often uses encoding to evade detection: `' OR 1=1--` becomes `%27%20OR%201%3D1--`. XSS payloads hide script tags: `<script>` as `%3Cscript%3E`. When investigating suspicious URLs, always fully decode them before analysis.

Double-encoded path traversal

Input
%252e%252e%252fpasswd
Result
../passwd

Encoded XSS payload

Input
%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
Result
<script>alert(document.cookie)</script>

Security context

Always fully decode URLs before making security decisions. A single decoding pass is not enough if the attacker used double or triple encoding. Decode repeatedly until the output stops changing.

Double encoding means encoding an already-encoded string. The % character itself becomes %25, so %2F (slash) becomes %252F. Some servers and proxies decode URLs at different stages, which can let double-encoded payloads slip through security filters.

Decode the full URL and compare it to the encoded version. Look for %25 sequences (double encoding), unusual characters in path segments, and known attack patterns like ../ or script tags hiding behind encoding.

Go deeper

Continue in the Web Security Academy

Related techniques

Comparing (/4):

Tool Comparison

Feature
Type
Pricing
Platforms
Description