toCharCode
fromCharCode
encodeURL
decodeURL
decodeJSON
Escape
UnEscape
fromCharCodeX
Clear All
Copy to Clipboard
Last Command
XSS Payloads
Quick XSS Character Restriction Checks
XSS Polygot
Quick PoC: XSS Defacement
Quick PoC: String.fromCharCode XSS
Quick PoC: XSS in JS tag
Quick PoC: Steal Credential
A very short cross browser header injection
Add onclick event handler
Advanced HTML injection locator
Advanced XSS Locator
Advanced XSS Locator for title-Injections
Backslash-obfuscated XBL injection - variant 2
Basic back ticked attribute breaker
Basic double quoted attribute breaker
Basic JS breaker
Basic JS breaker variant 1
Basic JS breaker variant 2
Basic JS breaker variant 3
Basic JS breaker variant 4
Basic JS breaker variant 5
Basic JS breaker variant 6
Basic JS breaker variant 7
Basic JS breaker variant 8
Basic JS breaker variant 9
Basic JS breaker variant 10
Basic single quoted attribute breaker
Basic title breaker
BODY ONLOAD
Camouflaged comment injection with JS link
Case Insensitive
Character Encoding Example
Closing JS Tag in JS String assignment
Commented-out Block
Comment-breaker using obfuscated JavaScript
Conditional style injection for IE
Content Replace
DIV background-image 1
DIV background-image 2
DIV expression
DIV w/Unicode
Double open angle brackets
Dword Encoding
Embedded Carriage Return
Embedded Encoded Tab
Embedded Newline
Embedded Tab
End title tag
Escaping JavaScript escapes
Evade Regex Filter 1
Evade Regex Filter 2
Evade Regex Filter 3
Evade Regex Filter 4
Evade Regex Filter 5
Eval string contained in name property
Extra dot for Absolute DNS
Extraneous Open Brackets
Filter Evasion 1
Filter Evasion 2
Firefox Lookups 1
Firefox Lookups 2
Firefox Lookups 3
firefoxurl: uri exploit (UXSS)
FRAME
Grave Accents
Half-Open HTML/JavaScript
Hex Encoding
Hex Encoding w/out Semicolons
HTML Entities
HTML Quoute & Comment breaker
HTML wrapped in XML
IE backticked semicolon injection
IE closing-tag expression injection
IE expression injection
IE VB Messagebox injection
IFRAME
Image onerror wrapped in XML statement
Image tag with obfuscated JS URI
Image w/CharCode
IMG Embedded commands 1
IMG Embedded commands 2
IMG Lowsrc
IMG No Quotes/Semicolon
IMG STYLE w/expression
IMG w/JavaScript Directive
IMG w/VBscript
INPUT Image
IP Encoding
JavaScript concatenation vector variant 1
JavaScript concatenation vector variant 2
JavaScript concatenation vector variant 3
JavaScript concatenation vector variant 4
JavaScript concatenation vector variant 5
JavaScript concatenation vector variant 6
JavaScript concatenation vector variant 7
JavaScript Includes
JavaScript Link Location
JavaScript-breaker using carriage return
JS link with whitespace obfuscation
JS string concatenation breaker
JSON based obfuscated onload vector
JSON based onload vector
JSON based semicolon-onload vector
LAYER
List-style-image
Livescript
Local .htc file
Long UTF-8 Unicode w/out Semicolons
Malformed IMG Tags
Markup breaker with special quotes
META
META w/additional URL parameter
META w/data:URL
Mixed Encoding
Mocha
Mozilla -moz-binding-url injection
Mozilla -moz-binding-url injection - filter evading
Multiline selfcontained XSS
Multiline w/Carriage Returns
Name contained XSS variant 1
Name contained XSS variant 2
Name contained XSS variant 3
Name contained XSS variant 4
navigatorurl: code execution
No Closing Script Tag
No Quotes/Semicolons
Non-Alpha/Non-Digit
Non-Alpha/Non-Digit Part 2
Noscript-breaker with mouseover
Null Chars 1
Null Chars 2
Obfuscated body onload vector
Obfuscated DOM element creation
Obfuscated double-body onload vector
Obfuscated image tag using dec entities
Obfuscated image tag using hex entities
Obfuscated image tag using long dec entities
Obfuscated JS image source
Obfuscated name trigger for Firefox
Obfuscated onload attribute variant 1
Obfuscated onload attribute variant 2
Obfuscated XML predicate vector variation 1
Obfuscated XML predicate vector variation 2
Obfuscated XML predicate vector variation 3
Obfuscated XSS variant 1
OBJECT
OBJECT w/Embedded XSS
Octal Encoding
Open string contained in name property
PHP
Plain JavaScript alert
Protocol Resolution Bypass
Protocol resolution in script tags
RegExp based, and native C filter vector.
Remote IE URL overloading
Remote Stylesheet 1
Remote Stylesheet 2
Remote Stylesheet 3
Remote Stylesheet 4
Removing Cnames
Rename .js to .jpg
res:// installed software probing
SCRIPT w/Alert()
SCRIPT w/Char Code
SCRIPT w/Source File
Self-contained XSS variant 1
Self-contained XSS variant 2
Self-contained XSS variant 3
Self-contained XSS variant 4
Self-contained XSS variant 5
Self-contained XSS variant 6
Self-contained XSS variant 7
Self-contained XSS variant 8
Self-contained XSS variant 9
Self-containing XSS with no dots
Spaces/Meta Chars
SSI
STYLE
Style injection via content and double-eval
STYLE w/Anonymous HTML
STYLE w/background
STYLE w/background-image
STYLE w/broken up JavaScript
STYLE w/Comment
Stylesheet
Style-breaker using obfuscated JavaScript
Super basic HTML breaker 2
Super short XSS variant 1
Super short XSS variant 2
TABLE
TD
Textarea-breaker with mouseover
Unicode encoded script tags
URL breaker for double quotes
URL breaker for single quotes
URL encoded image source
URL Encoding
URL-breaking vector
US-ASCII encoding
UTF-7 Encoding
UTF-8 Unicode Encoding
with() executing alert via document.__parent__
XML data island w/CDATA
XML data island w/comment
XML HTML+TIME
XML predicate XSS using content[n]
__parent__ stored JS alert
__proto__ stored JS alert
XML (locally hosted)
XML namespace
XSS Quick Test
XSS via VBScript MsgBox
--Encoder/Decoder--
to Decimal entities (&#NN;)
to Decimal entities without suffix ; (&#NN)
to HEX entities (&#xNN;)
to HEX entities (\xNN)
to HEX entities (\NN)
to HEX entities (%NN)
to Unicode(%u00NN)
to Unicode JS(\u00NN)
to octal JS entities
to Packer
htmlEncode (& -> &)
to MySQL HEX()
to MySQL Char(x),Char(y)
to MySQL Char(x,y)
to Oracle/Db2 Chr(x)||Chr(y)
to MSSQL HEX()
to PHP char(x).char(y)
to VBscript Chr(x) & Chr(y)
to Base64
from Decimal entities(&#NN;)
from Decimal entities without suffix ;(&#NN)
from HEX entities(&#xNN;)
from HEX entities (\xNN)
from HEX entities (\NN)
from HEX entities (%NN)
from Unicode(%u00NN)
from Unicode JS(\u00NN)
from octal JS entities
from Packer
htmlDecode (& -> &)
from MySQL HEX()
from MySQL Char(x),Char(y)
from MySQL Char(x,y)
from Oracle/Db2 Chr(x)||Chr(y)
from MSSQL HEX()
from PHP char(x).char(y)
from VBscript Chr(x) & Chr(y)
from Base64
------- EnCrypt -------
MD5
SHA1
SHA256
SHA512
ripemd320
haval256
CRC32
crypt()
AES
RC4
Rabbit
rot13
Reverse
Char++
Char--
AES
RC4
Rabbit
-------Text FX -------
Add space among < and >
Replace < > with [ ]
Replace < > with $
Remove all whitespaces
Remove leftmost and right-most whitespaces
Decode JSON String
Reverse String
Change ' to "
Change " to '
Change curly quotes to ""
Remove quotes ' "
Remove single quote
Remove double quote
Escape ' to \'
Escape " to \"
Escape ' to \"
Escape " to \'
Escape \ to \\
Escape / to \/
UnEscape \' to '
UnEscape \" to "
UnEscape \" to '
UnEscape \' to "
UnEscape \\ to \
UnEscape \/ to /
from \NN to &#NN;
from &#NN; to \NN
from % to \
from \n to %0D%0A
from %0A to %0D%0A
from \ to /
Ajax mode
0
URL:
------- Misc -------
Convert Git URL to HTTPS
Get Secure Random String
Validate XML
Minify Google Query URL
Extract URL from Google Query
Number:Resultant Plus
Save to Cookie
Get from Cookie
View All Cookies
Send to CAL9000
Send to HackVertor
Send to CyberChef
Renders:
HTML Editor
|
CodePen
|
JSFiddle
|
Netrenderer
|
Browsershots
Last updated on 2021-09-21
About this tool
This tool offers functions that allow you to do quick encoding using JavaScript. It was extensively used for
earlier OWASP WebGoat video tutorials
.
URL Shortcut
https://cybersecurity.wtf/encoder?i=Encode+This+String
https://cybersecurity.wtf/encoder?u=https://xss-game.appspot.com/level1/frame%3fquery=
[Test URL]
Changelog
You can read the
tool development history
.
This tool was initially developed by
Mario
from
Cure53.de
in 2007 or earlier.
You can
download this initial version
.