# Payload Encoding Payload encoding transforms payloads before injection, which is essential for bypassing input validation, WAFs, and encoding-specific attack vectors. ## ๐Ÿ“Š Encoding Types The `Encoder` field specifies which encoding transformations to apply to payloads: ### ๐Ÿ”— URL-Encode Key Characters Encodes only the characters that have special meaning in URLs: ``` < > " ' & / \ ; = ( ) { } [ ] | ` ~ ! ``` **Before:** `` **After:** `%3Cscript%3Ealert(1)%3C%2Fscript%3E` ### ๐Ÿ”— URL-Encode All Characters Encodes every character in the payload as `%XX`: **Before:** `test` **After:** `%74%65%73%74` ### ๐Ÿ“ HTML-Encode Key Characters Encodes characters using HTML entities: ``` < โ†’ < > โ†’ > " โ†’ " ' โ†’ ' & โ†’ & ``` **Before:** `` **After:** `<img src=x onerror=alert(1)>` ### ๐Ÿ”’ Base64-Encode Encodes the entire payload as Base64: **Before:** `admin:password` **After:** `YWRtaW46cGFzc3dvcmQ=` ### ๐ŸŒ Unicode-Encode Encodes characters using Unicode escape sequences: **Before:** `"], "Encoder": ["URL-encode key characters"] } ``` Useful when the application URL-decodes input before rendering. ### ๐Ÿ—„๏ธ SQL Injection with Space Encoding ```json { "Payloads": ["true,' OR '1'='1"], "UrlEncode": true, "CharsToUrlEncode": " '" } ``` Encodes only spaces and quotes for SQL injection payloads. ### ๐Ÿ“„ XXE with Base64 ```json { "Payloads": ["true,file:///etc/passwd"], "Encoder": ["Base64-encode"] } ``` Useful when the application processes Base64-encoded XML entities. ### ๐Ÿ›ก๏ธ WAF Bypass with Unicode ```json { "Payloads": ["true,"], "Encoder": ["Unicode-encode"] } ``` Unicode encoding can bypass WAF rules that only check for ASCII patterns. ## โšก Encoding Pipeline The full payload processing pipeline with encoding: ``` ๐Ÿ“„ Raw Payload โ†’ โœ… Filter enabled payloads (true, prefix) โ†’ ๐Ÿ” Apply Encoder transformations (in order) โ†’ ๐Ÿ”— Apply UrlEncode + CharsToUrlEncode (if enabled) โ†’ ๐Ÿ”ง Replace variables ({REDIRECT_DOMAIN}, {BC}, etc.) โ†’ ๐Ÿ’‰ Inject into insertion point โ†’ ๐Ÿ“ก Send request ``` ## ๐Ÿ’ก Tips * ๐Ÿงช **Test encodings manually** โ€” Use Burp Decoder to verify your encoding produces the expected result * ๐Ÿ”— **Chain encodings** โ€” Double encoding (e.g., URL-encode twice) can bypass some WAFs * ๐ŸŽฏ **Use `CharsToUrlEncode`** for precise control โ€” Only encode the characters that need encoding * ๐Ÿชž **Match encoded payloads** โ€” When using Payload Reflection match type (MatchType 3 vs 4), be aware that MatchType 3 checks for the encoded payload while MatchType 4 checks for the original --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bountysecurity.ai/profiles/payload-encoding.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.