URL encoding, also known as percent-encoding, is a mechanism for representing characters in a URL that would otherwise have special meaning or are not permitted in the URL syntax. Each encoded character is replaced with a percent sign followed by its two-digit hexadecimal ASCII value. For example, a space becomes %20, a forward slash becomes %2F, and an angle bracket becomes %3C. While essential for valid URL construction, URL encoding is frequently exploited by attackers to disguise malicious payloads and bypass security controls.
How It Works
When a browser or HTTP client sends a request, it encodes special characters in the URL so the server can interpret them correctly. The server decodes these values when processing the request. This encoding and decoding cycle becomes a security concern when different components in the request pipeline decode at different stages. If a security filter inspects the raw (encoded) URL but the application processes the decoded version, an attacker can encode malicious characters to slip past the filter.
Double encoding is a common evasion technique. An attacker encodes a character twice, so < becomes %3C after the first encoding, and then %253C after the second. If the security filter decodes once and sees %3C (which it might not flag), but the application decodes again and produces <, the payload reaches the application in its dangerous form. This technique is effective against web application firewalls and input validation routines that only perform a single round of decoding.
Path traversal attacks frequently use URL encoding to obscure directory traversal sequences. The classic ../ can be represented as %2E%2E%2F, %2E%2E/, or ..%2F, among other variations. Mixed encoding, where only some characters are encoded, adds further complexity for security filters attempting to detect malicious patterns.
Why It Matters
Understanding URL encoding is fundamental to web application security testing. Many vulnerabilities, from cross-site scripting to path traversal, rely on encoding tricks to bypass defenses. Security assessments must account for how the entire request processing pipeline handles encoded input, testing for double encoding, mixed encoding, and inconsistencies between how different components decode the same URL.
Need your application tested? Get in touch.