Payload Encoding and Obfuscation

Sophisticated attackers use various encoding and obfuscation techniques to bypass filters and security measures. Simple filters might block obvious patterns like <script>, but attackers can use numerous evasion techniques. HTML entity encoding allows <script> to become <script> after decoding. URL encoding, Unicode encoding, and mixed encodings can all potentially bypass naive filters. For example, <IMG SRC=javascript:alert('XSS')> uses decimal HTML entities to represent "javascript:alert('XSS')".

JavaScript itself offers numerous obfuscation opportunities. The payload eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41)) executes alert('XSS') without containing any obvious malicious strings. Attackers might split payloads across multiple injection points, use JavaScript's dynamic features to construct malicious code at runtime, or leverage legitimate features in unexpected ways. Modern obfuscation tools can transform simple payloads into complex, nearly unreadable code that still executes the intended malicious actions.