URL Encode — Full
Encodes every character as %XX. Bypasses WAFs that only check decoded payloads.
Enter a payload above to see the encoded output…Tool
Encode and obfuscate payloads for defense evasion. URL encoding, HTML entities, Base64, PowerShell -EncodedCommand, shell tricks, SQL bypasses, and more — with restricted character filtering.
All Techniques33 techniques
Encodes every character as %XX. Bypasses WAFs that only check decoded payloads.
Enter a payload above to see the encoded output…Encodes only unsafe/special characters (encodeURIComponent). Standard URL-safe output.
Enter a payload above to see the encoded output…URL encodes the % sign itself (%25), so %2f becomes %252f. Bypasses single-decode filters.
Enter a payload above to see the encoded output…Encodes every character as &#DEC; HTML entity. Effective for XSS filter bypass.
Enter a payload above to see the encoded output…Encodes every character as &#xHEX; HTML entity. Bypasses XSS-aware filters.
Enter a payload above to see the encoded output…Standard Base64 encoding. Used in SSRF, command injection, and file inclusion bypasses.
Enter a payload above to see the encoded output…Base64 with URL-safe alphabet (+ → -, / → _) and no padding. Safe to embed in URLs.
Enter a payload above to see the encoded output…Encodes the input using the RFC 4648 Base32 alphabet (A–Z, 2–7). Output contains no special characters.
Enter a payload above to see the encoded output…Encodes each character as \xHH. Common in shell, PHP, and Python injection payloads.
Enter a payload above to see the encoded output…Encodes each character as octal \OOO. Used in shell and C-style string contexts.
Enter a payload above to see the encoded output…Encodes each character as \uXXXX. Bypasses JS-based string matching and XSS filters.
Enter a payload above to see the encoded output…Converts each character to its hex byte with no prefix or separator. Useful for binary/hex contexts.
Enter a payload above to see the encoded output…Rotates letters by 13 positions; non-letters are unchanged. Defeats naive string-matching filters.
Enter a payload above to see the encoded output…Encodes as UTF-16LE Base64 for powershell -EncodedCommand. Classic AV / EDR bypass.
Enter a payload above to see the encoded output…Inserts backticks (`) between characters. PowerShell silently ignores them; breaks signature matching.
Enter a payload above to see the encoded output…Inserts carets (^) between characters. cmd.exe strips them; bypasses string-based AV detections.
Enter a payload above to see the encoded output…Alternates upper/lower case (wHoAmI). PowerShell is case-insensitive; defeats exact-string signatures.
Enter a payload above to see the encoded output…Splits the command into two string literals joined with +. Evades static string detection.
Enter a payload above to see the encoded output…Converts each character to its decimal code point and uses [char[]] casting. No literal strings in output.
Enter a payload above to see the encoded output…Splits the command into 2-char chunks and reconstructs with the -f format operator. Fragments the literal.
Enter a payload above to see the encoded output…Inserts '' between alternating characters. Bash/sh evaluates to the original; defeats grep-based WAFs.
Enter a payload above to see the encoded output…Replaces spaces with ${IFS}. Bypasses filters that block literal spaces in shell commands.
Enter a payload above to see the encoded output…Wraps the whole input as $(printf '\xHH…'). Evaluates the hex-encoded string as a shell command.
Enter a payload above to see the encoded output…Expands each character individually via $(printf). Maximum evasion; verbose output.
Enter a payload above to see the encoded output…Uses bash ANSI-C quoting $'\xHH…' to represent the string as hex escapes without a subshell.
Enter a payload above to see the encoded output…Replaces spaces with /**/ inline comments. Bypasses space-filtering in SQL injection contexts.
Enter a payload above to see the encoded output…Converts the string to a MySQL/MSSQL hex literal (0xHEX). Bypasses quote filtering in SQL injection.
Enter a payload above to see the encoded output…Appends a %00 null byte. Exploits C-string null termination in file inclusion and extension checks.
Enter a payload above to see the encoded output…Converts ASCII to full-width variants (/→/). Bypasses ASCII-only normalisation filters.
Enter a payload above to see the encoded output…Doubles all forward slashes (/ → //). Bypasses simple path normalisation and blacklist checks.
Enter a payload above to see the encoded output…Inserts /./ between path segments. Equivalent path; evades literal-match path traversal filters.
Enter a payload above to see the encoded output…Encodes each ASCII byte as a 2-byte overlong UTF-8 sequence (e.g. / → %C0%AF). Classic WAF bypass.
Enter a payload above to see the encoded output…Appends %0D%0A (CRLF) to the input. Used to inject HTTP response headers in response-splitting attacks.
Enter a payload above to see the encoded output…