Logo

MonoCalc

/

URL Obfuscator

Encode/Decode
For research & education only
This tool is intended for security research, penetration testing, and education. Do not use obfuscated URLs to deceive users or conduct phishing attacks. Always obtain permission before testing systems you do not own.
Enter a full URL including scheme (e.g. https://example.com/path)

Obfuscation Strategy

Options

1

2

3

Number of times to apply encoding (1 = lightest, 3 = most encoded)

Obfuscation Scope

About This Tool

🔗 URL Obfuscator – Transform URLs with Multiple Encoding Strategies

The URL Obfuscator is a browser-based security tool that transforms a URL into an alternative, less-readable representation without changing its functional destination. Security researchers, penetration testers, and educators use URL obfuscation to demonstrate phishing techniques, test URL filtering systems, and understand how browsers and servers parse non-standard URL forms.

Why Obfuscate URLs?

Web browsers and servers support many equivalent ways to represent the same URL. Understanding these alternative forms is essential for:

  • Security research — analysing how URL filters and WAFs handle non-standard inputs
  • Penetration testing — verifying whether security controls correctly block obfuscated attack payloads
  • Security awareness training — showing end users how convincing phishing URLs can look
  • Education — learning how URL parsing works across different browsers and libraries

Supported Obfuscation Strategies

1 · Percent Encoding

Replaces characters in the URL with their %XX hexadecimal equivalents. This is the most widely supported strategy — browsers automatically decode percent-encoded URLs before navigating. For example, https://example.com/login becomes https%3A%2F%2Fexample%2Ecom%2Flogin.

2 · Double Encoding

Applies percent-encoding twice so the % sign itself is re-encoded as %25. A single-encoded %2F becomes the double-encoded %252F. This technique can bypass web application firewalls that only decode input once before applying security rules.

3 · Mixed Case

Alternates upper and lower case characters throughout the scheme and hostname. Because HTTP/HTTPS and DNS hostnames are case-insensitive, the URL HtTpS://ExAmPlE.cOm resolves identically to https://example.com. This defeats simple string-matching filters that check only for an exact lowercase pattern.

4 · Unicode Homoglyphs

Replaces ASCII characters with visually identical Unicode code points — for example, the Latin letter o is replaced with the Cyrillic о (U+043E). To the human eye the URL looks unchanged, but the byte representation is entirely different. This technique is widely used in IDN homograph attacks.

5 · IP Address Conversion

Converts a bare IPv4 hostname into three alternative numeric forms. For the address 192.168.1.1:

  • Dword (decimal): 3232235777
  • Hexadecimal: 0xC0A80101
  • Octal: 0300.0250.01.01

All three forms are accepted by most browsers and resolve to the same IP address. Use this mode when the URL's hostname is a literal IPv4 address.

6 · Data URI Wrapping

Wraps the destination URL inside a data:text/html URI containing an HTML meta-refresh redirect. The resulting URL hides the true destination inside an inline HTML payload, illustrating how the data: scheme can be abused to obscure navigation intent.

Obfuscation Scope Controls

Each URL is split into three parts — scheme (https://), hostname, and path & query string. Toggle switches let you apply obfuscation selectively to each part, giving fine-grained control over which sections are transformed.

URL Components Reference

ComponentExampleNotes
schemehttps:Case-insensitive; rarely obfuscated in practice
hostnameexample.comPrimary target for homoglyph and IP conversion attacks
pathname/loginOften obfuscated to hide attack payloads
search?redirect=homeQuery parameters can carry encoded exploits
hash#sectionProcessed client-side only; not sent to server

Decoded Verification

After each obfuscation, the tool automatically decodes the output and compares it to the original URL. A green checkmark ✅ confirms the obfuscated URL resolves to the same destination. An orange warning ⚠️ means the decoded form could not be confirmed as equivalent — this can occur with homoglyph substitution or data URI wrapping where the URL is embedded inside a payload rather than directly accessible.

Responsible Use

All processing happens entirely in your browser — no URL is ever sent to a server. This tool is provided for legitimate security research, penetration testing with authorisation, and educational purposes only. Using URL obfuscation to deceive users, conduct phishing campaigns, or bypass security controls without permission is illegal in most jurisdictions and violates the terms of service of virtually every platform.

Frequently Asked Questions

Is the URL Obfuscator free?

Yes, URL Obfuscator is totally free :)

Can I use the URL Obfuscator offline?

Yes, you can install the webapp as PWA.

Is it safe to use URL Obfuscator?

Yes, any data related to URL Obfuscator only stored in your browser (if storage required). You can simply clear browser cache to clear all the stored data. We do not store any data on server.

What is URL obfuscation and what is it used for?

URL obfuscation transforms a URL into an alternative representation that looks different but resolves to the same destination. It is used by security researchers, penetration testers, and educators to demonstrate phishing techniques, test URL filters, and understand how browsers and servers parse URLs.

How does the URL Obfuscator tool work?

Enter a valid URL, choose an obfuscation strategy (such as percent encoding, double encoding, mixed case, Unicode homoglyphs, or data URI wrapping), configure optional scope toggles and encoding depth, then click Obfuscate. The tool processes the URL entirely in your browser — nothing is sent to any server.

Do obfuscated URLs still work in browsers?

Most obfuscation strategies produce URLs that browsers decode automatically, so they navigate to the same destination. Percent-encoded and double-encoded URLs are decoded by browsers before navigation. Data URI wrapping and Unicode homoglyphs may behave differently across browsers and email clients.

What is the difference between percent encoding and double encoding?

Percent encoding replaces characters with their %XX hexadecimal equivalent (e.g., / → %2F). Double encoding applies percent encoding a second time so that the % sign itself becomes %25 (e.g., %2F → %252F). Double encoding can confuse web application firewalls that only decode once.

Is URL obfuscation legal to use?

This tool is intended for security research, education, and legitimate testing purposes. Using obfuscated URLs to deceive users, conduct phishing attacks, or bypass security controls without authorisation is illegal in most jurisdictions. Always ensure you have permission before testing systems you do not own.

Are there any limitations to URL obfuscation techniques?

No obfuscation technique is undetectable. Modern security tools and browsers recognise common strategies. Unicode homoglyphs may trigger internationalised domain name (IDN) warnings. IP address conversion only works when the hostname is a bare IPv4 address. Double encoding is blocked by many WAFs.