Attackers also use double obfuscation, Nazario said. On top of simple joins or splits or single encoding, they use double encoding, often with a custom decoder. While several people like to use the browser to decode such exploits, Nazario said it’s a bad idea, as the technique is too slow to get full information from a browser under zero-day conditions.
