XSS Encoding Generator

Quite often @wireghoul bugs me to blog post about various topics and things I have learnt over the years of a penetration testing.

So here is the first post of 2021! It is quite short but hopefully, it will aid someone.

Typically during penetration testing, I tend to want to generate a number of payloads using various encoding methods to test for cross-scripting bypasses, some WAF’s might block ( however using ( can aid in bypassing it, and browsing to various other websites to generate a number of payloads can be a bit tedious, So I quickly wrote this tool one night to generate a various number of encoded payloads to aid in penetration testing.

python
import re
import string
import urllib.parse

def unicode_bypass(text):
    rep = {
        "a": "\\u0061",
        "l": "\\u006c",
        "e":"\\u0065",
        "r":"\\u0072",
        "t":"\\u0074"
    }
    text = "".join([rep.get(c, c) for c in text])
    return text

def unicode_gen(text):
    replacements = {
        "(": "('",
        ")": "')",
        "'": "'",
        "/": "/",
    }
    text = "".join([replacements.get(c, c) for c in text])
    return text

def htmlcode(text):
    text = urllib.parse.quote_plus(text)
    print(text)
    return text

class GeneratePayload:
    def __init__(self, payload):
        self.payload = payload
        print("Html Code Payload:", htmlcode(payload))
        print("Secondary:", unicode_gen(payload))
        print("Unicode:", unicode_bypass(payload))


if __name__ == '__main__':
    payload = input("Enter a XSS payload\n")
    GeneratePayload(payload)

Hopefully the next post is going to about using golang to aid with iOS/MacOSX testing as I am slowly working through the wonderful OS Internals series by @Morpheus______.

Macs are wildly complex..

#XSS