Using double encoding to bypass security checks that only decoded user input once. The decoded user input will pass this security checks and then later be used in backend platforms or modules that understand the encoding but don't have the corresponding security checks in place.
- Use double URL encoded XSS script to bypass a built-in XSS detection module. The first layer of the encodings will be decoded by the HTTP protocol and the resultant URL encoded script will be able to pass the built-in XSS detection module and gets into the application. If this script is returned to a victim user by the application later, the script is going to fire on the victim's browser.
- CAN-2004-1938 - "%2527" (double-encoded single quote) used in SQL injection.
- CVE-2001-0333 - Directory traversal using double encoding.
For more details, see PLOVER - Double Encoding
Attackers try to bypass some security checks.