URL encode can bypass xss filetering?

Question

The second piece of code here http://anautonomouszone.com/blog/xss-cheat-sheet, claims to bypass html special chars filtering (meaning, <>) by url encoding:

Bypass filter when it strips <script> tags:
%253cscript%253ealert(document.cookie)%253c/script%253e

Obviously this is URL encoding, which make the server unaware of the original content, but I can't possibly see when does it translate back into <script>.

The server gets it like this, and send it back. HTTP content is not encoded, so the user will get it as it is.

What am I missing? Is this true for php function htmlspecialchars?

EDIT :

After I got quite misunderstood at the chat, I'll try to make myself clear.

This is taken from an XSS cheat sheet. And other XSSes tutorials. Meaning, it's a method for trying to bypass some methods that are against XSS.

What I'm trying to understand is simple:

• What methods can it bypass (namely, under what scenario will this be helpful for an attacker)?
• And how does it happen? When does it decoded to become back <script> in the http-respone?
• What can I do to be safe from that in my web site?

Notice, this is in MANY sites, so it probably doesn't refer to an one-in-million-developer-mistake, but something quite likely in a way.

Thanks a lot.

Answer 1

A couple of ways:

• Simple XSS filters/IDS etc. looking for tags can be fooled if they don't decode twice
• It happens from time to time, due to the complexity of software, that application servers decode values twice
• It also happens that developers misunderstand the framework and add additional url decoding even though it has already been done by the server

Edit: Here is an OWASP page describing the attack. At the bottom there are two links to real vulnerabilities: https://www.owasp.org/index.php/Double_Encoding