Encoding
Some of the key characters we need to encode are:
Spaces: May indicate the end of request data if not encoded&: Otherwise interpreted as a parameter delimiter#: Otherwise interpreted as a fragment identifier
To URL-encode text in Burp Repeater, we can select that text and right-click on it, then select (Convert Selection>URL>URL encode key characters), or by selecting the text and clicking [CTRL+U].
Burp also supports URL-encoding as we type if we right-click and enable that option, which will encode all of our text as we type it
ZAP should automatically URL-encode all of our request data in the background before sending the request, though we may not see that explicitly.
There are other types of URL-encoding, like Full URL-Encoding or Unicode URL encoding, which may also be helpful for requests with many special characters.
Decoding
The following are some of the other types of encoders supported by both tools:
- HTML
- Unicode
- Base64
- ASCII hex
To access the full encoder in Burp, we can go to the Decoder tab. In ZAP, we can use the Encoder/Decoder/Hash by clicking [CTRL+E]. With these encoders, we can input any text and have it quickly encoded or decoded.
In recent versions of Burp, we can also use the Burp Inspector tool to perform encoding and decoding (among other things), which can be found in various places like Burp Proxy or Burp Repeater:
In ZAP, we can use the Encoder/Decoder/Hash tool, which will automatically decode strings using various decoders in the Decode tab:
We can create customized tabs in ZAP’s Encoder/Decoder/Hash with the “Add New Tab” button, and then we can add any type of encoder/decoder we want the text to be shown in. Try to create your own tab with a few encoders/decoders.