# Payload Encoding

Payload encoding transforms payloads before injection, which is essential for bypassing input validation, WAFs, and encoding-specific attack vectors.

## 📊 Encoding Types

The `Encoder` field specifies which encoding transformations to apply to payloads:

### 🔗 URL-Encode Key Characters

Encodes only the characters that have special meaning in URLs:

```
< > " ' & / \ ; = ( ) { } [ ] | ` ~ !
```

**Before:** `<script>alert(1)</script>` **After:** `%3Cscript%3Ealert(1)%3C%2Fscript%3E`

### 🔗 URL-Encode All Characters

Encodes every character in the payload as `%XX`:

**Before:** `test` **After:** `%74%65%73%74`

### 📝 HTML-Encode Key Characters

Encodes characters using HTML entities:

```
< → &lt;
> → &gt;
" → &quot;
' → &#x27;
& → &amp;
```

**Before:** `<img src=x onerror=alert(1)>` **After:** `&lt;img src=x onerror=alert(1)&gt;`

### 🔒 Base64-Encode

Encodes the entire payload as Base64:

**Before:** `admin:password` **After:** `YWRtaW46cGFzc3dvcmQ=`

### 🌐 Unicode-Encode

Encodes characters using Unicode escape sequences:

**Before:** `<script>` **After:** `\u003cscript\u003e`

## ⚙️ Configuration

### 📝 Using the Encoder Field

```json
{
  "Encoder": [
    "URL-encode key characters"
  ]
}
```

🔗 Multiple encoders can be chained — they are applied in sequence:

```json
{
  "Encoder": [
    "URL-encode key characters",
    "Base64-encode"
  ]
}
```

### 🎯 URL-Encode Specific Characters

For fine-grained control, use `UrlEncode` and `CharsToUrlEncode`:

```json
{
  "UrlEncode": true,
  "CharsToUrlEncode": "<>\"'&"
}
```

| Field              | Description                              |
| ------------------ | ---------------------------------------- |
| `UrlEncode`        | ✅ Enable custom URL encoding             |
| `CharsToUrlEncode` | 🔤 The specific characters to URL-encode |

## 📚 Encoding Examples by Vulnerability Type

### 💉 XSS with URL Encoding

```json
{
  "Payloads": ["true,<script>alert(1)</script>"],
  "Encoder": ["URL-encode key characters"]
}
```

Useful when the application URL-decodes input before rendering.

### 🗄️ SQL Injection with Space Encoding

```json
{
  "Payloads": ["true,' OR '1'='1"],
  "UrlEncode": true,
  "CharsToUrlEncode": " '"
}
```

Encodes only spaces and quotes for SQL injection payloads.

### 📄 XXE with Base64

```json
{
  "Payloads": ["true,file:///etc/passwd"],
  "Encoder": ["Base64-encode"]
}
```

Useful when the application processes Base64-encoded XML entities.

### 🛡️ WAF Bypass with Unicode

```json
{
  "Payloads": ["true,<script>alert(1)</script>"],
  "Encoder": ["Unicode-encode"]
}
```

Unicode encoding can bypass WAF rules that only check for ASCII patterns.

## ⚡ Encoding Pipeline

The full payload processing pipeline with encoding:

```
📄 Raw Payload
  → ✅ Filter enabled payloads (true, prefix)
  → 🔐 Apply Encoder transformations (in order)
  → 🔗 Apply UrlEncode + CharsToUrlEncode (if enabled)
  → 🔧 Replace variables ({REDIRECT_DOMAIN}, {BC}, etc.)
  → 💉 Inject into insertion point
  → 📡 Send request
```

## 💡 Tips

* 🧪 **Test encodings manually** — Use Burp Decoder to verify your encoding produces the expected result
* 🔗 **Chain encodings** — Double encoding (e.g., URL-encode twice) can bypass some WAFs
* 🎯 **Use `CharsToUrlEncode`** for precise control — Only encode the characters that need encoding
* 🪞 **Match encoded payloads** — When using Payload Reflection match type (MatchType 3 vs 4), be aware that MatchType 3 checks for the encoded payload while MatchType 4 checks for the original