Educational reference only. Understanding these patterns helps build secure defenses. This tool does not generate exploit code.
Double URL Encoding
URL Encoding/→%252F
URL-encode a character, then URL-encode the % sign of the first encoding. Servers that decode twice may interpret the second-decoded value.
Example: GET /admin%252Fpanel → decoded once: /admin%2Fpanel → decoded twice: /admin/panel
Bypasses
Single-pass URL decoders, WAFs that check only once, path normalization filters
Defense
Normalize and decode URLs once before validation. Reject % in already-decoded strings. Use allowlists over blocklists.
Double URL Encoding (dot)
URL Encoding.→%252E
Double-encode a period to bypass path traversal filters that block %2E or literal dots.
Example: %252E%252E%252F → decoded: %2E%2E%2F → decoded: ../
Bypasses
Path traversal filters checking for .. or %2E%2E
Defense
Canonicalize paths before checking. Resolve to absolute path and validate prefix.
Unicode Normalization Bypass (superscript)
Unicodescript→ˢᶜʳⁱᵖᵗ
Unicode contains look-alike characters (homoglyphs). After NFC/NFKC normalization these may resolve to ASCII equivalents.
Example: paypal.com vs pаypal.com (Cyrillic а)
Bypasses
Filters checking string content before normalization, HTML sanitizers, username uniqueness checks
Defense
Normalize to NFC or NFKC before all security checks. Restrict allowed characters with allowlists.
Unicode Full-Width ASCII
Unicode/etc/passwd→/etc/passwd
Unicode full-width variants (U+FF01–U+FF5E) look identical to ASCII but have different code points. Some frameworks normalize them.
Example: U+FF0F (/) is the full-width solidus; some servers treat it as /
Bypasses
Path validators checking ASCII slashes only
Defense
Map full-width to half-width before validation. Use strict ASCII-only allowlist for file paths.
HTML Entity Encoding for XSS
HTML Entities<script>→<script>
HTML entities represent characters using & notation. If a filter checks for literal < but not entities, the browser may decode and execute the script.
Example: <img src=x onerror=alert(1)> → <img src=x onerror=alert(1)>
Bypasses
WAFs checking for literal angle brackets, some template engines that auto-decode entities
Defense
Use context-aware output encoding. Sanitize HTML with a dedicated library (DOMPurify). Never innerHTML with user input.
Decimal Entity XSS
HTML Entities<→<
Decimal HTML entity < is equivalent to <. Browsers decode this before parsing event handlers.
Example: <a href="javascript:alert(1)">click</a>
Bypasses
Hex entity filters that miss decimal form
Defense
Treat all entity forms as equivalent. Use structured templating with auto-escaping.
SQL Comment Encoding (%23)
SQL Injection#→%23
URL-encode the MySQL comment character # as %23 to bypass filters that look for the literal # character in query strings.
Example: ?id=1 UNION SELECT 1,2,3%23 → id=1 UNION SELECT 1,2,3#
Bypasses
WAFs filtering literal # in URL parameters for SQL injection
Defense
Use parameterized queries / prepared statements. Never concatenate user input into SQL.
SQL Inline Comment (/**/)
SQL Injection →/**/
Replace spaces with SQL inline comments /**/ to bypass space-based filters while keeping the query valid.
Example: SELECT/**/username/**/FROM/**/users/**/WHERE/**/id=1
Bypasses
Filters that remove spaces between SQL keywords
Defense
Use parameterized queries. If parsing SQL, use an AST-level parser not string matching.
SQL Dash Comment Encoding
SQL Injection--→%2D%2D
URL-encode the SQL line comment -- as %2D%2D to avoid string-level detection.
Example: ?user=admin'%2D%2D → admin'--
Bypasses
WAFs and input validation that look for literal -- in parameters
Defense
Parameterized queries are the only reliable defense. WAF bypass techniques demonstrate WAFs alone are insufficient.
Path Traversal (../)
Path Traversal../→../
Classic directory traversal: move up one directory level. Blocked by most modern frameworks but still effective against custom code.
Example: /download?file=../../../etc/passwd
Bypasses
Custom file-serving code, misconfigured web servers
Defense
Resolve paths to absolute form and verify they start with an approved base directory. Never concatenate user input into file paths.
Path Traversal URL Encoded
Path Traversal../→%2e%2e%2f
URL-encode each character of ../ to bypass filters checking for the literal sequence.
Example: /download?file=%2e%2e%2f%2e%2e%2fetc%2fpasswd
Bypasses
Filters matching literal ../ without decoding first
Defense
Decode before validating. Use realpath() equivalent and prefix check.
Path Traversal Overlong UTF-8
Path Traversal/→%c0%af
Overlong UTF-8 encoding (non-standard, rejected by RFC 3629) was used by some older servers. CVE-2000-0884 (IIS) allowed ..%c0%af to traverse directories.
Example: ..%c0%af → may be interpreted as ../ on vulnerable systems
Bypasses
Legacy servers with broken UTF-8 decoders (IIS 5.0, older Tomcat)
Defense
Reject invalid UTF-8 sequences. Use up-to-date web servers. Apply strict path validation after decoding.
Path Traversal Backslash (Windows)
Path Traversal..\→..%5c
On Windows, backslash is also a path separator. URL-encode it as %5c to bypass forward-slash-only filters.
Example: /download?file=..%5c..%5cwindows%5csystem32%5cdrivers%5cetc%5chosts
Bypasses
Linux-centric path traversal filters running on Windows hosts
Defense
Normalize path separators before validation. Check for both / and \ on Windows.