This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Double Encoding

Revision as of 16:39, 9 June 2006 by Weilin Zhong (talk | contribs) (Belongs to Categories)

Jump to: navigation, search
This is an Attack. To view all attacks, please see the Attack Category page.


Using double encoding to bypass security checks that only decoded user input once. The decoded user input will pass this security checks and then later be used in backend platforms or modules that understand the encoding but don't have the corresponding security checks in place.


  • Use double URL encoded XSS script to bypass a built-in XSS detection module. The first layer of the encodings will be decoded by the HTTP protocol and the resultant URL encoded script will be able to pass the built-in XSS detection module and gets into the application. If this script is returned to a victim user by the application later, the script is going to fire on the victim's browser.
  • CAN-2004-1938 - "%2527" (double-encoded single quote) used in SQL injection.
  • CVE-2001-0333 - Directory traversal using double encoding.

For more details, see PLOVER - Double Encoding

Related Threats

Attackers try to bypass some security checks.

Related Attacks

SQL Injection

XSS Attacks

Related Vulnerabilities

Category:Lack of Input Validation

Related Countermeasures

Category:Input Validation


This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.