Share
## https://sploitus.com/exploit?id=9DBEE47E-0650-5E7F-B24D-DC0D432BFFCD
# XSS WAF Lab โ€“ Payload Generator

This project studies how Web Application Firewalls (WAFs) use character-based filters to block XSS payloads and implements a small Python script that generates encoded variants of a simple XSS payload. The goal is to understand why naive blacklists are weak and how encoding tricks can help an attacker evade poorly designed filters in controlled lab environments.

## Files

- `xss_payload_generator.py` โ€“ Python script that generates multiple variants of a base XSS payload using HTML entity encoding and URL encoding.
- `xss_waf_lab.ipynb` โ€“ Notebook with research notes, payload generation code, test plan, and experiment log for a PortSwigger XSS lab.

## Usage

Run the script with Python 3:

python xss_payload_generator.py

The script prints the original `` payload and several encoded variants such as numeric entities, hex entities, zero-padded entities, and a URL-encoded version.

## Testing (lab only)

The payloads were tested against a PortSwigger Web Security Academy lab titled "Reflected XSS into HTML context with most tags and attributes blocked", which uses a WAF-like filter for HTML tags. In this environment, the original `` payload triggered a "Tag is not allowed" response, indicating that the filter explicitly rejected that pattern.