## https://sploitus.com/exploit?id=9DBEE47E-0650-5E7F-B24D-DC0D432BFFCD
# XSS WAF Lab โ Payload Generator
This project studies how Web Application Firewalls (WAFs) use character-based filters to block XSS payloads and implements a small Python script that generates encoded variants of a simple XSS payload. The goal is to understand why naive blacklists are weak and how encoding tricks can help an attacker evade poorly designed filters in controlled lab environments.
## Files
- `xss_payload_generator.py` โ Python script that generates multiple variants of a base XSS payload using HTML entity encoding and URL encoding.
- `xss_waf_lab.ipynb` โ Notebook with research notes, payload generation code, test plan, and experiment log for a PortSwigger XSS lab.
## Usage
Run the script with Python 3:
python xss_payload_generator.py
The script prints the original `` payload and several encoded variants such as numeric entities, hex entities, zero-padded entities, and a URL-encoded version.
## Testing (lab only)
The payloads were tested against a PortSwigger Web Security Academy lab titled "Reflected XSS into HTML context with most tags and attributes blocked", which uses a WAF-like filter for HTML tags. In this environment, the original `` payload triggered a "Tag is not allowed" response, indicating that the filter explicitly rejected that pattern.