XSS Payload Sandbox

An XSS Payload Sandbox is a security testing tool that allows security researchers, penetration testers, and developers to safely test and analyze Cross-Site Scripting (XSS) payloads. It applies various encoding and escaping transformations to payloads so you can understand how different output contexts (HTML, JavaScript, URL, CSS) affect the payload's structure. This helps in both crafting bypass techniques and validating proper input sanitization measures.

HTML Entity Encoding replaces special characters with their corresponding HTML entities. For example, < becomes <, > becomes >, & becomes &, and quotes become " or '. This encoding is essential when inserting user-controlled data into HTML body content, as it prevents the browser from interpreting injected HTML tags. It's the most fundamental XSS defense when outputting to HTML contexts.

URL Encoding (also called percent-encoding) replaces unsafe ASCII characters with a % followed by two hexadecimal digits. For example, < becomes %3C. Double URL Encoding applies URL encoding twice — so < first becomes %3C, then the % itself gets encoded to %25, resulting in %253C. Double encoding is a well-known bypass technique: if a WAF or filter decodes input only once and then passes it to the application which decodes again, the payload can slip through.

Unicode Escape (\uXXXX format) is primarily used in JavaScript string literals to represent characters by their Unicode code points. For example, < becomes \u003C. JavaScript Escape uses hex escape sequences (\xXX) for characters in the 0-255 range and also handles special characters like newlines (\n), tabs (\t), backslashes (\\), and quotes (\', \"). Use Unicode escapes when you need full Unicode support; use standard JS escaping for inserting data into JavaScript string contexts.

Each injection context requires different escaping strategies: HTML Body needs HTML entity encoding for < > &. HTML Attributes additionally require quoting of attribute delimiters (" or '). JavaScript strings need backslash escaping for quotes, backslashes, and line terminators. URL parameters require percent-encoding. CSS needs CSS-specific escaping. A common mistake is using HTML entity encoding for JavaScript contexts — entities aren't interpreted inside <script> blocks, leaving the application vulnerable.

Hex Encoding represents each character as \x followed by its two-digit hexadecimal code. For example, alert becomes \x61\x6c\x65\x72\x74. This encoding is commonly used in JavaScript contexts to obfuscate payloads and bypass signature-based filters. Combined with eval() or Function() constructors, hex-encoded strings can execute arbitrary JavaScript. Many WAFs look for plaintext alert or script patterns, making hex encoding an effective evasion technique.

Base64 encoding can be effective in specific scenarios, particularly with data: URIs or when combined with JavaScript atob() decoding. For example, eval(atob('YWxlcnQoMSk=')) executes alert(1). However, Base64 alone doesn't bypass HTML context restrictions since the browser doesn't automatically decode Base64 in HTML. It's most effective when the application has a decoding mechanism or when used in combination with other techniques like the data:text/html;base64,... URI scheme.

The most effective XSS prevention strategies include: 1) Use context-appropriate output encoding (HTML entities for HTML, JavaScript escaping for JS, etc.). 2) Implement a Content Security Policy (CSP) to restrict script sources. 3) Validate and sanitize all user inputs using allowlists rather than blocklists. 4) Use modern frameworks (React, Angular, Vue) that auto-escape by default. 5) Set the HttpOnly flag on cookies. 6) Apply the principle of least privilege — never inject user data into dangerous contexts like eval() or innerHTML.