Multiple encoded attack is a technique used to bypass security mechanisms which only decodes user data input once. Attackers can inject multiple encoding in pathnames or query strings to bypass the authentication schema and security filters in use by the web application.
Multiple encoded attacks can be used to masquerade a path traversal attack or a cross-site scripting (XSS) attack. Most multiple encoded attacks work by encoding the characters entered, so that it really decodes the message to input illegal characters.