CyberChef URL Decode

Category: Web Operation: URL Decode

URL Decode Percent Encoding URI Web HTTP

What is URL Encoding?

URL encoding, also known as percent-encoding, is a mechanism for encoding information in a Uniform Resource Identifier (URI) by replacing certain characters with one or more character triplets consisting of the percent character "%" followed by two hexadecimal digits. This encoding is necessary because URLs can only contain a limited set of characters from the ASCII character set.

When you submit a form on a website or pass parameters in a URL, special characters (like spaces, symbols, or non-ASCII characters) must be encoded so they can be safely transmitted over the internet. For example, a space becomes %20, and an ampersand becomes %26.

Why URL Encoding Exists: URLs were originally designed to only use a subset of ASCII characters. Many characters have special meaning in URLs (like ?, &, =, /) or aren't allowed at all (like spaces and non-ASCII characters). URL encoding ensures these characters can be safely included in URLs without breaking their structure.

Understanding Percent-Encoding

Percent-encoding represents characters using their hexadecimal byte values. The process is straightforward:

Take the character you want to encode
Find its byte value in the appropriate character encoding (usually UTF-8)
Convert each byte to hexadecimal
Prefix each hexadecimal pair with a percent sign (%)

Character	Description	URL Encoded	Hex Value
(space)	Space character	%20 or +	0x20
!	Exclamation mark	%21	0x21
"	Double quote	%22	0x22
#	Hash/pound	%23	0x23
$	Dollar sign	%24	0x24
%	Percent	%25	0x25
&	Ampersand	%26	0x26
+	Plus	%2B	0x2B
=	Equals	%3D	0x3D
?	Question mark	%3F	0x3F
@	At symbol	%40	0x40

URL Decode Operation

CyberChef's URL Decode operation reverses the percent-encoding process, converting encoded characters back to their original form. This is essential for reading URL parameters, analyzing web traffic, debugging web applications, and understanding data transmitted via URLs.

When to Use URL Decode:

Reading query parameters from URLs copied from browsers
Analyzing HTTP request logs and web server access logs
Debugging web applications and API calls
Examining phishing URLs or malicious links
Processing form submissions and GET/POST data
Extracting readable data from encoded URLs
Reverse engineering web application behavior

Example 1: Simple Query String

Encoded: search?q=hello+world&lang=en

Decoded: search?q=hello world&lang=en

The plus sign (+) is decoded to a space.

Example 2: Special Characters

Encoded: name=John%20Doe&email=john%40example.com

Decoded: name=John Doe&email=john@example.com

%20 becomes space, %40 becomes @.

Example 3: Complex URL with Multiple Parameters

Encoded: https://example.com/search?q=cyber%20security%20%26%20hacking&page=1&sort=relevance

Decoded: https://example.com/search?q=cyber security & hacking&page=1&sort=relevance

%26 becomes &, allowing ampersands within parameter values.

Example 4: Unicode Characters

Encoded: message=Hello%2C%20%E4%B8%96%E7%95%8C

Decoded: message=Hello, 世界

Multi-byte UTF-8 sequences decode to international characters.

Reserved vs Unreserved Characters

URLs distinguish between reserved characters (which have special meaning) and unreserved characters (which can appear as-is).

Reserved Characters (Should be encoded in most contexts)

: / ? # [ ] @ ! $ & ' ( ) * + , ; =

These characters have special meaning in URL structure. For example, ? starts the query string, & separates parameters, and = assigns values.

Unreserved Characters (Don't need encoding)

A-Z a-z 0-9 - _ . ~

These characters can appear in URLs without encoding and will be interpreted literally.

Context Matters: Whether a character needs encoding depends on where it appears in the URL. For example, / is fine in the path but must be encoded as %2F within a query parameter value.

Common URL Decoding Scenarios

Scenario 1: Analyzing Search Engine Queries

Encoded URL:
https://www.google.com/search?q=how+to+use+cyberchef&hl=en&source=hp

Decoded Parameters:
q = how to use cyberchef
hl = en
source = hp

Understanding what users are actually searching for by decoding the q parameter.

Scenario 2: Debugging API Calls

Encoded:
POST /api/user?name=Jane%20Doe&role=admin%2Fdeveloper&access=%7B%22read%22%3Atrue%7D

Decoded:
POST /api/user?name=Jane Doe&role=admin/developer&access={"read":true}

Revealing that the access parameter contains a JSON object.

Scenario 3: Security Analysis of Suspicious Links

Suspicious Encoded URL:
https://bit.ly/abc123?redirect=https%3A%2F%2Fevil.com%2Fphish%3Ftarget%3Dbank

Decoded:
https://bit.ly/abc123?redirect=https://evil.com/phish?target=bank

Decoding reveals the actual destination of the redirect, exposing the phishing site.

Special Cases and Edge Cases

The Space Character: + vs %20

Spaces can be encoded two ways:

%20 - Standard percent-encoding, works everywhere
+ - Shorthand for space, primarily used in query strings and form data

Both are valid, but + only represents a space in query strings. In other parts of the URL (like the path), a literal + means a plus sign, not a space.

Double Encoding

Sometimes data is URL encoded multiple times, either accidentally or intentionally:

Original: Hello World
Single Encoded: Hello%20World
Double Encoded: Hello%2520World

(%25 is the encoded percent sign, so %2520 = %20)

To fully decode, you may need to apply URL decode multiple times.

Incomplete or Malformed Encoding

Invalid encoding sequences like %2 (missing second hex digit) or %GG (invalid hex) should be handled gracefully. CyberChef typically leaves malformed sequences unchanged.

URL Components Breakdown

Understanding URL structure helps identify what needs decoding:

https://user:pass@example.com:8080/path/to/page?key1=value1&key2=value2#section

Scheme:   https
User:     user (rarely used, deprecated in modern browsers)
Password: pass (rarely used, deprecated in modern browsers)
Host:     example.com
Port:     8080
Path:     /path/to/page
Query:    key1=value1&key2=value2
Fragment: section

Encoding is most commonly needed in:

Query String Values: After the = sign
Query String Keys: Before the = sign (if they contain special chars)
Path Segments: Between / characters
Fragment: After the #

Using URL Decode in CyberChef

The URL Decode operation in CyberChef is straightforward:

Paste your URL-encoded data into the input pane
Search for and add the "URL Decode" operation
View the decoded output
If data appears still encoded, apply URL Decode again (for double-encoding)

Input Data:

user=John%20Doe&message=Hello%2C%20how%20are%20you%3F&time=2024-01-01T12%3A30%3A00

After URL Decode:

user=John Doe&message=Hello, how are you?&time=2024-01-01T12:30:00

Further Processing (Optional):

You might then use "URL Parameter Parser" or regular expressions to extract specific values:

user → John Doe
message → Hello, how are you?
time → 2024-01-01T12:30:00

CyberChef Recipe Ideas

Here are some useful recipe combinations involving URL Decode:

Full URL Analysis: URL Decode → Regular Expression (extract specific parameters)
Log Processing: URL Decode → Find / Replace → To Table (analyze access logs)
Double Decode: URL Decode → URL Decode (handle double-encoded data)
JSON Extraction: URL Decode → JSON Beautify (decode URL-encoded JSON)
Base64 + URL: URL Decode → From Base64 (decode Base64 data passed in URLs)
SQL Injection Analysis: URL Decode → Syntax highlighter (examine potential SQL injection attempts)

Security Considerations

URL Encoding in Security Attacks

Attackers often use URL encoding to obfuscate malicious payloads:

SQL Injection: %27%20OR%20%271%27%3D%271 decodes to ' OR '1'='1
XSS Attacks: %3Cscript%3Ealert%281%29%3C%2Fscript%3E decodes to <script>alert(1)</script>
Path Traversal: %2E%2E%2F%2E%2E%2F decodes to ../../
Command Injection: Encoding shell metacharacters to bypass filters

Security Warning: Always validate and sanitize decoded URL parameters before using them in your application. URL decoding can reveal attack payloads that were obfuscated to bypass security filters. Never trust user input, even after decoding.

Double Encoding Attacks

Attackers may double-encode malicious data to bypass security filters that only decode once. Always be aware of the possibility of multiple encoding layers.

Practical Tips

Browser developer tools automatically decode URLs in the Network tab for easier reading
When copying URLs from browsers, they may already be decoded for display
Server logs typically contain the encoded version of URLs
URL encoding is case-insensitive for hex digits (%2F = %2f)
Not all characters need encoding, but encoding them is still valid
Test with both + and %20 for spaces to ensure compatibility
Always encode user input before adding it to URLs to prevent injection attacks
Use URL decode when examining captured network traffic or packet captures

Pro Tip: When analyzing web traffic for security purposes, always decode URLs to reveal the actual data being transmitted. Encoded URLs can hide malicious payloads, exfiltrated data, or attack patterns that are only visible after decoding.

← Back to Operations Guide