🔐Payload Encoding

Payload encoding transforms payloads before injection, which is essential for bypassing input validation, WAFs, and encoding-specific attack vectors.

📊 Encoding Types

The Encoder field specifies which encoding transformations to apply to payloads:

🔗 URL-Encode Key Characters

Encodes only the characters that have special meaning in URLs:

< > " ' & / \ ; = ( ) { } [ ] | ` ~ !

Before: <script>alert(1)</script> After: %3Cscript%3Ealert(1)%3C%2Fscript%3E

🔗 URL-Encode All Characters

Encodes every character in the payload as %XX:

Before: test After: %74%65%73%74

📝 HTML-Encode Key Characters

Encodes characters using HTML entities:

< → &lt;
> → &gt;
" → &quot;
' → &#x27;
& → &amp;

Before: <img src=x onerror=alert(1)> After: <img src=x onerror=alert(1)>

🔒 Base64-Encode

Encodes the entire payload as Base64:

Before: admin:password After: YWRtaW46cGFzc3dvcmQ=

🌐 Unicode-Encode

Encodes characters using Unicode escape sequences:

Before: <script> After: \u003cscript\u003e

⚙️ Configuration

📝 Using the Encoder Field

{
  "Encoder": [
    "URL-encode key characters"
  ]
}

🔗 Multiple encoders can be chained — they are applied in sequence:

{
  "Encoder": [
    "URL-encode key characters",
    "Base64-encode"
  ]
}

🎯 URL-Encode Specific Characters

For fine-grained control, use UrlEncode and CharsToUrlEncode:

{
  "UrlEncode": true,
  "CharsToUrlEncode": "<>\"'&"
}

Field

Description

UrlEncode

✅ Enable custom URL encoding

CharsToUrlEncode

🔤 The specific characters to URL-encode

📚 Encoding Examples by Vulnerability Type

💉 XSS with URL Encoding

{
  "Payloads": ["true,<script>alert(1)</script>"],
  "Encoder": ["URL-encode key characters"]
}

Useful when the application URL-decodes input before rendering.

🗄️ SQL Injection with Space Encoding

{
  "Payloads": ["true,' OR '1'='1"],
  "UrlEncode": true,
  "CharsToUrlEncode": " '"
}

Encodes only spaces and quotes for SQL injection payloads.

📄 XXE with Base64

{
  "Payloads": ["true,file:///etc/passwd"],
  "Encoder": ["Base64-encode"]
}

Useful when the application processes Base64-encoded XML entities.

🛡️ WAF Bypass with Unicode

{
  "Payloads": ["true,<script>alert(1)</script>"],
  "Encoder": ["Unicode-encode"]
}

Unicode encoding can bypass WAF rules that only check for ASCII patterns.

⚡ Encoding Pipeline

The full payload processing pipeline with encoding:

📄 Raw Payload
  → ✅ Filter enabled payloads (true, prefix)
  → 🔐 Apply Encoder transformations (in order)
  → 🔗 Apply UrlEncode + CharsToUrlEncode (if enabled)
  → 🔧 Replace variables ({REDIRECT_DOMAIN}, {BC}, etc.)
  → 💉 Inject into insertion point
  → 📡 Send request

💡 Tips

🧪 Test encodings manually — Use Burp Decoder to verify your encoding produces the expected result
🔗 Chain encodings — Double encoding (e.g., URL-encode twice) can bypass some WAFs
🎯 Use CharsToUrlEncode for precise control — Only encode the characters that need encoding
🪞 Match encoded payloads — When using Payload Reflection match type (MatchType 3 vs 4), be aware that MatchType 3 checks for the encoded payload while MatchType 4 checks for the original

PreviousMatch and Replace NextIssue Properties

Last updated 2 days ago

hashtag📊 Encoding Types

hashtag🔗 URL-Encode Key Characters

hashtag🔗 URL-Encode All Characters

hashtag📝 HTML-Encode Key Characters

hashtag🔒 Base64-Encode

hashtag🌐 Unicode-Encode

hashtag⚙️ Configuration

hashtag📝 Using the Encoder Field

hashtag🎯 URL-Encode Specific Characters

hashtag📚 Encoding Examples by Vulnerability Type

hashtag💉 XSS with URL Encoding

hashtag🗄️ SQL Injection with Space Encoding

hashtag📄 XXE with Base64

hashtag🛡️ WAF Bypass with Unicode

hashtag⚡ Encoding Pipeline

hashtag💡 Tips