Encoding — Obfuscator

Encoding13 techniques

Encodes every character as %XX. Bypasses WAFs that only check decoded payloads.

Enter a payload above to see the encoded output…

Encodes only unsafe/special characters (encodeURIComponent). Standard URL-safe output.

Enter a payload above to see the encoded output…

URL encodes the % sign itself (%25), so %2f becomes %252f. Bypasses single-decode filters.

Enter a payload above to see the encoded output…

Encodes every character as &#DEC; HTML entity. Effective for XSS filter bypass.

Enter a payload above to see the encoded output…

Encodes every character as &#xHEX; HTML entity. Bypasses XSS-aware filters.

Enter a payload above to see the encoded output…

Standard Base64 encoding. Used in SSRF, command injection, and file inclusion bypasses.

Enter a payload above to see the encoded output…

Base64 with URL-safe alphabet (+ → -, / → _) and no padding. Safe to embed in URLs.

Enter a payload above to see the encoded output…

Encodes the input using the RFC 4648 Base32 alphabet (A–Z, 2–7). Output contains no special characters.

Enter a payload above to see the encoded output…

Encodes each character as \xHH. Common in shell, PHP, and Python injection payloads.

Enter a payload above to see the encoded output…

Encodes each character as octal \OOO. Used in shell and C-style string contexts.

Enter a payload above to see the encoded output…

Encodes each character as \uXXXX. Bypasses JS-based string matching and XSS filters.

Enter a payload above to see the encoded output…

Converts each character to its hex byte with no prefix or separator. Useful for binary/hex contexts.

Enter a payload above to see the encoded output…

Rotates letters by 13 positions; non-letters are unchanged. Defeats naive string-matching filters.

Enter a payload above to see the encoded output…