Tools / URL Encoder
URL Encoder / Decoder
Type or paste raw text on the left and see the URL-encoded (percent-encoded) form on the right -- or do it in reverse. Both fields update in real time as you type. Handy for crafting HTTP requests, decoding query parameters, and manipulating form data in web exploitation challenges.
Common encodings reference
| Character | Encoded | Notes |
|---|---|---|
| %20 | Space (also + in form data) | |
| ! | %21 | Exclamation mark |
| " | %22 | Double quote |
| # | %23 | Hash / anchor |
| $ | %24 | Dollar sign |
| % | %25 | Percent (must be encoded) |
| & | %26 | Ampersand (param separator) |
| ' | %27 | Single quote |
| ( | %28 | Open paren |
| ) | %29 | Close paren |
| + | %2B | Plus (also means space in query) |
| , | %2C | Comma |
| / | %2F | Forward slash |
| : | %3A | Colon |
| ; | %3B | Semicolon |
| = | %3D | Equals (param assignment) |
| ? | %3F | Question mark (query start) |
| @ | %40 | At sign |
| [ | %5B | Open bracket |
| ] | %5D | Close bracket |
| { | %7B | Open brace |
| } | %7D | Close brace |
How percent-encoding works
URLs can only contain a safe subset of ASCII characters. Any character outside that set -- including spaces, special punctuation, and non-ASCII bytes -- must be represented as a percent sign followed by two hex digits: %XX. For example, a space becomes %20, an equals sign becomes %3D, and an ampersand becomes %26.
In web CTF challenges, percent-encoding is often used to bypass input filters. Injecting %27 instead of a literal single quote can slip past naive keyword blocklists. Double-encoding (encoding the percent sign itself as %25) can bypass a second layer of filtering.
This tool uses the browser's built-in encodeURIComponent and decodeURIComponent functions, which follow RFC 3986. Characters that are unreserved (letters, digits, - _ . ~) are left as-is; everything else is encoded.
Useful for web exploitation challenges in picoCTF -- including SQL injection, XSS filter bypasses, and open-redirect chains. Look for web challenges in the picoCTF 2024 Web Gauntlet writeup for examples of encoding-based bypasses.