Tools / URL Encoder
URL Encoder / Decoder
Type or paste raw text on the left and see the URL-encoded (percent-encoded) form on the right - or do it in reverse. Both fields update in real time as you type. Handy for crafting HTTP requests, decoding query parameters, and manipulating form data in web exploitation challenges.
Common encodings reference
| Character | Encoded | Notes |
|---|---|---|
| %20 | Space (also + in form data) | |
| ! | %21 | Exclamation mark |
| " | %22 | Double quote |
| # | %23 | Hash / anchor |
| $ | %24 | Dollar sign |
| % | %25 | Percent (must be encoded) |
| & | %26 | Ampersand (param separator) |
| ' | %27 | Single quote |
| ( | %28 | Open paren |
| ) | %29 | Close paren |
| + | %2B | Plus (also means space in query) |
| , | %2C | Comma |
| / | %2F | Forward slash |
| : | %3A | Colon |
| ; | %3B | Semicolon |
| = | %3D | Equals (param assignment) |
| ? | %3F | Question mark (query start) |
| @ | %40 | At sign |
| [ | %5B | Open bracket |
| ] | %5D | Close bracket |
| { | %7B | Open brace |
| } | %7D | Close brace |
How percent-encoding works
URLs can only contain a safe subset of ASCII characters. Any character outside that set -- including spaces, special punctuation, and non-ASCII bytes - must be represented as a percent sign followed by two hex digits: %XX. For example, a space becomes %20, an equals sign becomes %3D, and an ampersand becomes %26.
In web CTF challenges, percent-encoding is often used to bypass input filters. Injecting %27 instead of a literal single quote can slip past naive keyword blocklists. Double-encoding (encoding the percent sign itself as %25) can bypass a second layer of filtering.
This tool uses the browser's built-in encodeURIComponent and decodeURIComponent functions, which follow RFC 3986. Characters that are unreserved (letters, digits, - _ . ~) are left as-is; everything else is encoded.
Useful for web exploitation challenges in picoCTF - including SQL injection, XSS filter bypasses, and open-redirect chains. Look for web challenges in the picoCTF 2024 Web Gauntlet writeup for examples of encoding-based bypasses.
It is important to distinguish encodeURIComponent from encodeURI. The latter leaves structural URL characters like /, ?, #, and & unencoded because they are meaningful in a URL context. When injecting into a query parameter value, always use encodeURIComponent to ensure every special character is escaped - otherwise an unescaped & or = will break the parameter boundary.
Form data submitted via POST uses a slightly different encoding called application/x-www-form-urlencoded, which replaces spaces with + rather than %20. When crafting a raw HTTP request in a CTF, be aware of which encoding the server expects. If the server decodes + as a space in one context but as a literal plus in another, that discrepancy can be exploited to bypass server-side validation.
Unicode characters (non-ASCII) are first converted to their UTF-8 byte sequence, then each byte is percent-encoded. For example, the euro sign € is U+20AC, which in UTF-8 is three bytes 0xE2 0x82 0xAC, giving the URL encoding %E2%82%AC. Challenges that involve Unicode normalization attacks or path traversal on international hostnames sometimes rely on these multi-byte sequences.