Why are they used?

• Evade detection of common payloads

• • Filtering of traffic containing the likes of:
  • • exec of /bin/sh or other shells
    • adduser commands
    • interaction with /etc/passwd
    • etc...

• Restricted payload byte values:

• • Input filtered for non-alphanumeric
  • Payload must pass through modification functions:
  • • tolower() / toupper()
    • Character set conversions