Quite often @wireghoul bugs me to blog post about various topics and things I have learnt over the years of a penetration testing.
So here is the first post of 2021! It is quite short but hopefully, it will aid someone.
Typically during penetration testing, I tend to want to generate a number of payloads using various encoding methods to test for cross-scripting bypasses, some WAF’s might block ( however using ( can aid in bypassing it, and browsing to various other websites to generate a number of payloads can be a bit tedious, So I quickly wrote this tool one night to generate a various number of encoded payloads to aid in penetration testing.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
import re
import string
import urllib.parse
def unicode_bypass(text):
rep = {
"a": "\\u0061",
"l": "\\u006c",
"e":"\\u0065",
"r":"\\u0072",
"t":"\\u0074"
}
text = "".join([rep.get(c, c) for c in text])
return text
def unicode_gen(text):
replacements = {
"(": "('",
")": "')",
"'": "'",
"/": "/",
}
text = "".join([replacements.get(c, c) for c in text])
return text
def htmlcode(text):
text = urllib.parse.quote_plus(text)
print(text)
return text
class GeneratePayload:
def __init__(self, payload):
self.payload = payload
print("Html Code Payload:", htmlcode(payload))
print("Secondary:", unicode_gen(payload))
print("Unicode:", unicode_bypass(payload))
if __name__ == '__main__':
payload = input("Enter a XSS payload\n")
GeneratePayload(payload)
Hopefully the next post is going to about using golang to aid with iOS/MacOSX testing as I am slowly working through the wonderful OS Internals series by [@Morpheus____](https://twitter.com/Morpheus__).
Macs are wildly complex..