Estoy trabajando en Burp y recibí una respuesta interesante al enviar una cadena descodificada como una solicitud GET. Al copiar / pegar la misma cadena en un navegador, la cadena es codificada automáticamente por el navegador cuando se realiza la solicitud.
¿Es posible enviar URI decodificados en navegadores modernos?
La codificación es necesaria y es la parte principal de cómo funciona la URL para que el servidor de la aplicación reciba la forma correcta de los datos.
Si su ataque no requiere la interacción del usuario como XSS, puede diseñar su carga útil de ataque en python; en caso de que siga siendo el mismo y se produzca el ataque.
Si te estás perdiendo lo básico, puedes leer el artículo a continuación.
Encoding a URL
The most commonly encoded character in URL string is the <space> character. You see this character whenever you see a plus-sign (+) in a URL. This represents the space character. The plus sign acts as a special character representing that space in a URL. The most common way you'll see this is in a mailto link that includes a subject. If you want the subject to have spaces in it, you can encode them as pluses:
mailto:email?subject=this+is+my+subject
This bit of encoding text would transmit a subject of "this is my subject". The "+" character in the encoding would be replaced with an actual <space> when it is rendered in the browser.
To encode a URL, you simply replace the special characters with their encoding string. This will nearly always begin with a % character.
Encoding a URL
Strictly speaking, you should always encode any special characters found in a URL. One important note, in case you are feeling a bit intimidated by all this talk or encoding, is that you generally won't find any special characters in a URL outside their normal context except with form data.
Most URLs use the simple characters that are always allowed, so no encoding is needed at all.
If you submit data to CGI scripts using the GET method, you should encode the data as it will be sent over the URL. For instance, if you are writing a link to promote an RSS feed, your URL will need to be encoded to add to the script URL you're promoting it on.
What Should Be Encoded?
Any character that is not an alphabetic character, a number, or a special character that is being used outside its normal context is going to need to be encoded in your page. Below is a table of common characters that could be found in a URL and their encoding.
Reserved Characters URL Encoding
Character Purpose in URL Encoding
: Separate protocol (http) from address %3B
/ Separate domain and directories %2F
# Separate anchors %23
? Separate query string %3F
& Separate query elements %24
@ Separate username and password from domain %40
% Indicates an encoded character %25
+ Indicates a space %2B
<space> Not recommended in URLs %20 or +
Lea otras preguntas en las etiquetas web-application web-browser penetration-test chrome firefox