Bug Bounty Hub
  • πŸš€WELCOME
    • Bug Bounty Hub
    • BBH - Values
    • About the author
  • πŸ•ΈοΈPENTESTING WEB
    • Information Gathering
      • Enumerating ASN and IP blocks
      • Reverse IP Lookup
      • Scanning Open Ports/Services
      • Subdomain Enumeration
        • Active Subdomain Enumeration
        • Passive Subdomain Enumeration
        • Subdomain Permutations
        • Check Alive Subdomains
      • Subdomain Takeover
      • Fuzzing
      • JavaScript Files
      • Endpoints
      • Input Parameters
      • Mapping Attack Surface - Crawling/Spider
      • Fingerprinting
      • Potential Vulnerabilities - Nuclei
    • Client-Side Injection Attacks
    • Server-Side Vulnerabilities
      • Path Traversal/File Inclusion
      • Access Control
      • Authentication
      • Server-side Request Forgery (SSRF)
      • File upload vulnerabilities
      • OS Command Injection
      • SQL Injection
        • MySQL Injection
        • SQLi with SQLMap
    • Authentication
    • Insecure Direct Object Reference (IDOR)
    • Cross-Site Request Forgery Attacks
    • Business Logic Flaws
    • HTTP Verb Tampering
    • Bypass 401 & 403
    • Evading WAFs
    • Reporting
  • 🐣THE BASICS OF WEB
    • HTTP Methods
    • HTTP Response Codes
    • HTTP Headers
      • AWS S3 Buckets Headers
    • HTTP Cookies
    • Encoding
      • URL encoding
      • HTML encoding
      • Base 64 encoding
      • Unicode encoding
    • Web Browsers
      • Same-Origin Policy (SOP)
      • Content Security Policy (CSP)
      • Subresource Integrity Check (SIC)
    • Web Proxies
  • πŸ“šRESOURCES
    • Books
    • Web resources
    • CTF Platforms
  • πŸ”οΈBug Bounty Platforms
Powered by GitBook
On this page

Was this helpful?

  1. THE BASICS OF WEB
  2. Encoding

URL encoding

URL encoding is a process used to encode special characters in URLs to ensure that they are transmitted correctly over the internet. URLs can only be sent over the internet using the ASCII character set. Certain characters in URLs have special meanings (like ?, &, #, etc.), and spaces or other non-ASCII characters can cause problems if not handled properly. URL encoding converts these characters into a format that can be safely used in URLs.

In this example, the password contains ampersand & , which if not encoded will be treated as a parameter and will set password to tJ and "MS_L"

URL:
https://example.com/login.php?username=admin&password=tJ&MS_l

Encoded URL:
https://example.com/login.php?username=admin&password=tJ%26MS_l

Common characters encoded and encoded value:

Character
Encoded Value

Space

%20

Double Quote (")

%22

Less Than (<)

%3C

Greater Than (>)

%3E

Pound (#)

%23

Percentage (%)

%25

Ampersand (&)

%26

Slash (/)

%2F

Plus (+)

%2B

Equal (=)

%3D

Double Encoding

In double encoding, the characters are encoded twice:

  • The first level of encoding converts the character into a percent-encoded form.

  • The second level of encoding is appliedto the percent-encoded characters.

Example: & > %26 > %2526

URL:
https://example.com/login.php?username=admin&password=tJ&MS_l

First encode:
https://example.com/login.php?username=admin&password=tJ%26MS_l

Second encode:
https://example.com/login.php?username=admin&password=tJ%2526MS_l
PreviousEncodingNextHTML encoding

Last updated 6 months ago

Was this helpful?

🐣