How to post invalid byte characters with curl etc.

Question: Question:

I want to test a web app, but I don't know how to post a character such as "\ xff" as a parameter.

Is there such a way?

Answer: Answer:

How about specifying a file that stores a parameter string containing invalid bytes as data?

$ echo -e 'str=\xff' > invalid_bytes.txt
$ hexdump -C invalid_bytes.txt 
00000000  73 74 72 3d ff 0a                                 |str=..|
$ curl -d @invalid_bytes.txt
  "args": {}, 
  "data": "", 
  "files": {}, 
  "form": {
    "str": "\ufffd"
  "headers": {
    "Accept": "*/*", 
    "Connection": "close", 
    "Content-Length": "6", 
    "Content-Type": "application/x-www-form-urlencoded", 
    "Host": "", 
    "User-Agent": "curl/7.52.1"
  "json": null, 
  "origin": "", 
  "url": ""

It's a bit annoying, but you can also pipe the echo results.

$ echo -e 'str=\xff' | curl -d @-

It's almost the same, but you can also use command substitution.

$ curl -d "$(echo -e 'str=\xff')"

You can also save it to a variable in the shell instead of saving it to a file.

$ DATA=$(echo -e '\xff') curl -d "str=${DATA}"

* Please note that if you try to send a null character (\ x00), it will be treated as the end of the character string depending on the method and you will not be able to send it properly. (You can see the difference by running the string as abc\x00abc etc.)


Scroll to Top