Double Encoding

Double Encoding is a technique where characters are URL-encoded twice to bypass security filters that only decode input once, allowing malicious payloads to pass through and be decoded by the application.

How It Works

# Single encoding
< → %3C

# Double encoding
< → %3C → %253C

# Decoding chain
%253C → %3C (first decode) → < (second decode)

Attack Scenario

# WAF blocks: ../../../etc/passwd
# Single encoded: %2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd
# WAF decodes once: ../../../etc/passwd → BLOCKED

# Double encoded: %252e%252e%252f%252e%252e%252f%252e%252e%252fetc/passwd
# WAF decodes once: %2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd → PASS
# App decodes again: ../../../etc/passwd → Attack succeeds

Common Double-Encoded Characters

Character | Single  | Double
----------|---------|--------
.         | %2e     | %252e
/         | %2f     | %252f
\         | %5c     | %255c
<         | %3c     | %253c
>         | %3e     | %253e
'         | %27     | %2527
"         | %22     | %2522

Vulnerable Scenarios

• WAF decodes before checking, app decodes again
• Reverse proxy decodes, backend decodes again
• Multiple processing layers with decoding

Prevention

• Decode input once at a single point
• Validate after final decoding
• Reject requests with encoded characters where not expected

See Also

• WAF Bypass
• Path Traversal
• Null Byte Injection