Listen to this Post
URL encoding is essential when dealing with web requests, especially in cybersecurity and penetration testing. Mark Green’s improved Bash function helps encode only the necessary characters in a URL, optimizing payloads for tools like Burp Suite.
The Bash URL Encoding Function
urlencode() {
local string="${1}"
local strlen=${string}
local encoded=""
local pos c o
for (( pos=0 ; pos<strlen ; pos++ )); do
c=${string:$pos:1}
case "$c" in
[-_.~a-zA-Z0-9] ) o="${c}" ;;
) printf -v o '%%%02x' "'$c"
esac
encoded+="${o}"
done
echo "${encoded}"
}
Usage:
urlencode "https://hackertips.today?id=1234&whatever=true"
Output:
https%3A%2F%2Fhackertips%2Etoday%3Fid%3D1234%26whatever%3Dtrue
You Should Know:
1. GET vs. POST Requests
- GET: Data is visible in the URL (e.g.,
?param1=value1¶m2=value2). - POST: Data is sent in the request body (hidden from the URL).
2. Key URL Encoding Characters
– `?` → `%3F`
– `&` → `%26`
– `=` → `%3D`
– `/` → `%2F`
– `:` → `%3A`
3. Using `curl` with Encoded URLs
encoded_url=$(urlencode "https://example.com/test?query=1&value=2") curl -X GET "$encoded_url"
4. Decoding URLs in Bash
urldecode() {
local url="${1}"
printf '%b\n' "${url//%/\x}"
}
5. Burp Suite Integration
- Use encoded payloads in Repeater or Intruder.
- Automate encoding with Bash before sending requests.
6. Windows Equivalent (PowerShell)
7. Python Alternative
from urllib.parse import quote
encoded = quote("https://example.com?test=1", safe="")
What Undercode Say:
URL encoding is a fundamental skill for web security testing. Whether manipulating query strings, crafting XSS payloads, or bypassing WAFs, understanding how and when to encode characters ensures successful exploitation. Always test edge cases—some servers handle encoded and unencoded inputs differently.
Expected Output:
https%3A%2F%2Fhackertips%2Etoday%3Fid%3D1234%26whatever%3Dtrue
References:
Reported By: Activity 7328606482294317056 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
