Encoded characters in URLs are not bad when they’re used for valid technical reasons, such as supporting non‑English languages, special symbols, or safe data transmission in paths and search queries.
Examples
- The word
cafébecomescaf%C3%A9in a URL. - A search for
cats & dogsbecomescats%20%26%20dogs.
Encoded characters aren’t inherently dangerous. Legitimate uses are all about correctly transmitting data across systems.
They become problematic when used to hide intent, bypass security controls, or obfuscate dangerous input like scripts, traversal sequences, or injection payloads.
What’s Probing?
Probing is when someone (often a bot or attacker) sends test requests to a website or server to learn how it behaves and what protections it has without launching a full attack yet.
During probing, bots or attackers are checking:
- Is there a firewall or WAF?
- Which inputs are blocked vs allowed?
- Are error messages detailed or generic?
- Does encoding bypass filters?
Path Transversal Attempt using Encoded Characters
Here’s a clear, common example of a path traversal attempt using URL encoding:
https://example.com/wp-content/uploads/%2e%2e/%2e%2e/wp-config.phpWhat it decodes to:
https://example.com/wp-content/uploads/../../wp-config.php
The attacker is attempting to:
- Start in a publicly accessible directory (
wp-content/uploads) - Use
../to move up the directory tree - Access
wp-config.php, which contains:- Database credentials
- Security keys
- Site configuration
What is Base64 Encoding?
Base64 is a way to convert binary data (or any text) into ASCII text so it can be transmitted over systems that only support text, like URLs, emails, or JSON.
It uses 64 characters: A–Z, a–z, 0–9, +, / (and = for padding)
Attackers often hide payloads using Base64 in URLs, POST requests, or plugin endpoints.
Base64 is used to:
- Obfuscate payloads
- Bypass basic keyword filtering
- Reduce obvious signatures (
<?php,<script>, etc.)
This
payload=PD9waHAgZmlsZV9nZXRfY29udGVudHMoJ2ZpbGUucGhwJyk7Pz0=
decodes to
<?php file_get_contents('file.php'); ?>
High‑Risk URL‑Encoded Characters
These are frequently used in SQL injection, XSS, path traversal, and command injection attacks.
1. Encoded single & double quotes
%27 ' (single quote)
%22 " (double quote)
2. Encoded angle brackets
%3C <
%3E >
3. Encoded semicolon
%3B ;
4. Encoded parentheses
%28 (
%29 )
5. Encoded pipe and ampersand
%7C |
%26 &
6. Encoded directory traversal
%2E%2E ..
%2F /
%5C \
7. Encoded null byte
%00
8. Double‑encoded characters
%2527 (double‑encoded ')
%253C (double‑encoded <)
Double Encoding
Double encoding is a sneaky trick attackers use to bypass security filters like firewalls or web application firewalls (WAFs)
| Character | Encoded |
|---|---|
' | %27 |
< | %3C |
> | %3E |
| space | %20 |
Double encoding is encoding an already encoded character again.
| Character | Encoded (double) |
|---|---|
' (single quote) | %2527 |
< (less‑than) | %253C |
> (greater‑than) | %253E |
| space | %2520 |
If a WAF only blocks %27, double encoding %2527 can slip through.
Manuel Campos
I'm a WordPress enthusiast. I document my journey and provide actionable insights to help you navigate the ever-evolving world of WordPress."
