Client-side encoding is a security mechanism used to prevent attacks like Cross-Site Scripting (XSS) by encoding user inputs before rendering them in the browser. Encoding ensures that special characters (like <, >, &, " ) are treated as text rather than executable code.

1. Lab on Client-Side Encoding in Web
Security
Base64 is a binary-to-text encoding scheme that converts binary data into ASCII
characters.
It is commonly used for:
● Encoding data for transmission over text-based protocols (e.g., emails, URLs).
● Storing binary files (e.g., images) as text.
● Basic obfuscation (NOT encryption) of data.
●
Base64 Encoding & Decoding
🟢
Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string
format.
✅ Challenge: Encode a user’s input into Base64 and decode it back.
import base64
def encode_base64(text):
return base64.b64encode(text.encode()).decode()
def decode_base64(encoded_text):
return base64.b64decode(encoded_text.encode()).decode()
user_input = input("Enter text to encode in Base64: ")
encoded = encode_base64(user_input)
decoded = decode_base64(encoded)
print(f"🔹 Base64 Encoded: {encoded}")
print(f"🔹 Base64 Decoded: {decoded}")
✅ Use Case: Base64 is used in web tokens, image encoding, and data obfuscation.

2. Example
import base64
text = "Hello"
encoded_text = base64.b64encode(text.encode()).decode()
print(encoded_text) # Output: SGVsbG8=
URL Encoding & Decoding
🟢
URL Encoding (also known as Percent Encoding) is a method used to encode special
characters in a URL so that they can be safely transmitted over the internet.
✅ Challenge: Encode and decode a URL input.
🔹 Code (Python)
import urllib.parse
def encode_url(text):
return urllib.parse.quote(text)
def decode_url(encoded_text):
return urllib.parse.unquote(encoded_text)
user_input = input("Enter a URL: ")
encoded = encode_url(user_input)
decoded = decode_url(encoded)
print(f"🔹 URL Encoded: {encoded}")
print(f"🔹 URL Decoded: {decoded}")
✅ Use Case: Prevents special character issues in URLs.
Example
import urllib.parse

3. text = "https://example.com/search?q=hello world"
encoded_text = urllib.parse.quote(text)
print(encoded_text)
HTML Encoding & Decoding (Prevent XSS)
🟢
● HTML encoding converts special characters (<, >, &, ", ') into safe entities.
● This prevents injection attacks, such as XSS (Cross-Site Scripting).
● Example:
○ <script>alert('XSS')</script> (unsafe)
○ &lt;script&gt;alert(&#x27;XSS&#x27;)&lt;/script&gt; (safe)
✅ Challenge: Convert special characters (<, >, &, ', ") into HTML entities.
🔹 Code (Python)
import html
def encode_html(text):
return html.escape(text)
def decode_html(encoded_text):
return html.unescape(encoded_text)
user_input = input("Enter an HTML snippet (e.g.,
<script>alert('XSS')</script>): ")
encoded = encode_html(user_input)
decoded = decode_html(encoded)
print(f"🔹 HTML Encoded: {encoded}")
print(f"🔹 HTML Decoded: {decoded}")
✅ Use Case: Prevents XSS attacks in web applications.
Example

4. import html
html_snippet = "<h1>Hello & Welcome!</h1>"
encoded_html = html.escape(html_snippet)
print(encoded_html)
Detecting Double Encoding Attacks
🟢
URL Encoding converts special characters into a percent-encoded format.
Double Encoding is when an already URL-encoded string is encoded again.
Attackers use double encoding to bypass security filters.
Example of Double Encoding
🔹 Original input:
<script>alert('XSS')</script>
🔹 Single Encoding:
%3Cscript%3Ealert(%27XSS%27)%3C/script%3E
🔹 Double Encoding:
%253Cscript%253Ealert(%2527XSS%2527)%253C/script%253E
✅ Challenge: Identify a double-encoded payload.
🔹 Code (Python)
import urllib.parse
def detect_double_encoding(text):
decoded_once = urllib.parse.unquote(text)
decoded_twice = urllib.parse.unquote(decoded_once)

5. if decoded_once != decoded_twice:
print("❌ Double Encoding Attack Detected!")
else:
print("✅ Input is clean.")
user_input = input("Enter a URL-encoded string: ")
detect_double_encoding(user_input)
✅ Use Case: Attackers may double-encode input to bypass security filters.
Encoding Bypass Exploit
🟢
Encoding Bypass is a technique where an attacker encodes malicious payloads multiple
times to:
✔ Evade security filters
✔ Execute XSS, SQLi, and other attacks
✔ Hide malicious scripts in encoded formats
📌 Example of Encoding Bypass
Regular XSS Payload:
<script>alert('XSS')</script>
URL Encoded:
%3Cscript%3Ealert(%27XSS%27)%3C/script%3E
HTML Entity Encoded:
&lt;script&gt;alert('XSS')&lt;/script&gt;
Base64 Encoded:
PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=
🚨 Hackers mix encoding methods to bypass security filters.

6. ✅ Challenge: Detect suspicious input patterns using multiple encodings.
🔹 Code (Python)
python
CopyEdit
def is_suspicious_input(text):
if "%" in text or "&lt;" in text or "&#" in text or "base64" in
text:
return " Warning: Possible Encoding Bypass Attempt!"
⚠️
return "✅ Input looks safe."
user_input = input("Enter encoded data: ")
print(is_suspicious_input(user_input))
✅ Use Case: Helps prevent encoding-based bypass attacks.