Skip to content

[FEATURE] Add an Option to disable url-encoding when in fuzzing path #6162

New issue
New issue
Closed
#6400
Closed
[FEATURE] Add an Option to disable url-encoding when in fuzzing path#6162
#6400
Labels
Type: EnhancementMost issues will probably ask for additions or changes.
@XD-MHLOO

Description

@XD-MHLOO
XD-MHLOO
opened on Apr 10, 2025

Add an option to disable urlencode: - urlencode: false

Add an option to disbale urlencode: - urlencode: false

fuzzing:
      - part: path
      - type: replace
      - mode: single
      - fuzz:
          - "{{injections}}"
      -  urlencode: false

By providing an option to disable URL encoding, users can send their exact desired payload.

Describe the use case of the feature

Problem Summary:

  1. Currently, URL encoding is enabled by default, which is beneficial in many cases.
    However, it encodes space characters as + instead of %20 .
    This can be a problem for users who want to encode spaces as %20 rather than +.
    Example cases:
    The user has this payload "(select 1 from sleep(5)" when fuzzing on path,
    and user expect after url-encoded the request is sent as
    https://example.com/shop/category/(select%201%20from%20sleep(5)/display. However the payload
    is encoded as https://example.com/shop/category/(select+1+from+sleep(5)/display.
    If user was able to disable URL encoding, users can send their exact desired payload, such as
    "(select%201%20from%20sleep(5)" and allow it to send the request in exact
    https://example.com/shop/category/(select%201%20from%20sleep(5)/display.

  2. Conflict that happen when in different use case of special characters.

    Example: The hash # character:

    Case 1 (SQL Injection):
    Testing SQL injection on https://example.com/john<payload>/login

    The user wants # to be URL-encoded as %23 so that it's treated as part of the URL and not as a fragment identifier. In this case, the injection might look like:
    https://example.com/john' OR SLEEP(10) %23/login .

    Case 2 (XSS Injection):
    Testing XSS injection on https://example.com/home/<payload>

    The user does not want # encoded, as it’s needed for XSS injection. The # symbol should remain as-is to allow the JavaScript to process it correctly:
    https://example.com/home/#<svg/onload=alert()>.

    Proposed Approach:

    Since URL encoding is enabled by default so the user in Case 1 would succeed however it was not the case for the User in Case 2, therefore it would be nice to add an option to Disable URL Encoding: Provide an option to disable URL encoding, allowing the user to send the exact payload string as provided."

User in Case 2 need this:

    fuzzing:
          - part: path
          - type: replace
          - mode: single
          - fuzz:
              - "{{injections}}"
          -  urlencode: false

Describe alternatives you've considered

No response

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type: EnhancementMost issues will probably ask for additions or changes.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions