PayloadForge is a modular, Python-based CLI tool developed for educational and defensive cybersecurity research.
It generates structured payload templates demonstrating how common web vulnerabilities work and how modern defenses detect and block them.
-
Reflected XSS
-
Stored XSS
-
DOM-based XSS
-
HTML context
-
Attribute context
-
JavaScript context
-
Bypass logic metadata
-
Encoding simulation
-
Case manipulation logic
-
Tag switching examples
-
Error-based injection
-
Union-based injection
-
Blind (boolean + time-based template only)
-
MySQL
-
PostgreSQL
-
MSSQL
-
Comment-based bypass
-
Case variation
-
No live database interaction
-
Linux patterns
-
Windows patterns
-
Command separators as strings only
-
OS-based logic
-
Explanation of why filters fail
Execution disabled by default
- URL Encoding
- Base64 Encoding
- Hex Encoding
- Comment insertion obfuscation
- Whitespace abuse
- Mixed obfuscation
- WAF detection reasoning
- JSON export
- TXT export
PayloadForge/
│
├── main.py
│
├── modules/
│ ├── xss.py
│ ├── sqli.py
│ └── command_injection.py
│
├── core/
│ ├── encoder.py
│ ├── obfuscator.py
│ ├── exporter.py
│ └── waf_notes.py
│
└── README.md
git clone https://github.com/abds059/PayloadForge
cd PayloadForge
python main.py --help
-
python main.py --module xss -
python main.py --module xss --xss-type reflected --context html -
python main.py --module sqli --db mysql --sqli-type union -
python main.py --module cmd --os linux -
python main.py --module xss --encode url -
python main.py --module xss --obfuscate comment -
python main.py --module sqli --export jsonpython main.py --module xss --export txt
This framework is strictly for academic learning, defensive research, and authorized security testing within legal environments.
It does not execute live commands or interact with real databases.
Users must adhere to responsible disclosure practices and ethical standards; any unauthorized use is strictly prohibited, and the authors assume no liability for misuse.
- Abdur Rehman Siddiqui
- Areeba Zehra Jafri