DEV Community: Ilias Georgopoulos

I Built a Browser-Based Payload Transformation Toolkit for Web Security Testing

Ilias Georgopoulos — Fri, 03 Apr 2026 08:47:28 +0000

I Built a Browser-Based Payload Transformation Toolkit for Web Security Testing

I’ve been learning more about web security, bug bounty workflows, and how modern applications handle unusual or transformed input.

As part of that journey, I built WAF Bypass Toolkit — a browser-based tool that helps with payload transformation for authorized web security testing and research.

What it does

The idea is simple:

You start with a test input and apply different transformation techniques to see how the format changes.

This can help security researchers and developers better understand how applications, filters, and validation layers react to transformed input during testing.

Current focus

The toolkit is designed around common web security testing scenarios such as:

SQLi
XSS
Command Injection
LFI
SSRF
SSTI
XXE

Features

Some of the transformations currently included are:

whitespace transformations
case toggling
inline comments
encoding variations
multiple transformation combinations

Why I made it

I wanted something that is:

fast to use
browser-based
simple to test with
easy to expand over time

Another important goal was privacy and simplicity.

Everything runs client-side, which means no payloads or inputs need to be sent to a server.

Who it is for

This project is intended for:

security researchers
developers learning application security
bug bounty practitioners working within authorized scope
anyone experimenting in local labs or training environments

Demo

You can check it out here:

https://waf-bypass.dev/

GitHub repo:

https://github.com/Ilias1988/waf-bypass

Notes

This tool is intended strictly for educational purposes, research, and authorized security testing only.

Feedback welcome

This is an active project and I’m still improving it.

I’d love feedback on:

UI/UX
transformation ideas
developer experience
documentation
feature suggestions

Building an Open-Source Payload Obfuscator with React & Vite

Ilias Georgopoulos — Fri, 20 Mar 2026 18:35:50 +0000

As developers, we often build tools to automate our pain points. Lately, I've been diving deep into offensive security and Red Teaming. One of the biggest headaches during security testing? Getting your perfectly legitimate testing payloads flagged and blocked by static analysis engines (AVs/EDRs) before they even run.

Manually obfuscating code—swapping variable names, encoding strings, and injecting dead loops—is incredibly tedious. I wanted a visual, instant way to test different evasion layers on common payloads.

Since I couldn't find a lightweight, browser-based tool that gave me the feedback I needed, I decided to build one.

Meet the Payload Obfuscator.

(Note: Replace the image link above if you want to upload screenshot.png directly using the DEV.to editor button)

🛠️ The Tech Stack
I wanted this tool to be fast, responsive, and completely client-side (sending sensitive payload data to a random server is a massive red flag in infosec).

Framework: React 18 + Vite. The hot module replacement (HMR) during development was a lifesaver when tweaking the obfuscation engines.

Styling: Tailwind CSS. It allowed me to rapidly prototype that dark, terminal-style UI you expect from a security tool.

Deployment: GitHub Pages paired with a custom .dev domain.

🧠 How the Engine Works
The core of the app isn't just a text formatter; it's a multi-layer transformation engine supporting 5 languages (PowerShell, Python, Bash, C#, and Go).

Users can toggle different layers on and off:

Variable Randomization: Uses Regex to find variable declarations and swaps them with realistic but randomized string hashes.

String Encoding: Reverses URLs or wraps them in Base64/Hex encoding that decodes at runtime.

Dead Code Injection: Inserts non-functional, junk logic to break up known malicious signatures.

Encryption Wrappers: The final layer, wrapping the payload in XOR logic.

📊 Solving the "Entropy" Problem
Here is where the data science part comes in. The problem with aggressive obfuscation (like heavy encryption) is that it creates code with a very high Shannon Entropy. High entropy acts as a giant flare for heuristic scanners, signaling "this file is packed or hiding something."

To solve this, I built a real-time Entropy Meter into the UI. As you stack obfuscation layers, the tool calculates the entropy score dynamically. The goal is to keep the payload's entropy in the "moderate" green zone (around 5.5 - 6.0)—enough to evade static signatures, but not enough to trigger heuristic alarms. It also estimates a "Detection Probability" score based on the applied techniques.

🌐 Try It Out
You can play around with the live tool here: https://payload-obfuscator.dev/

The entire project is open-source. Whether you're interested in the React architecture, the Tailwind implementation, or the actual string manipulation logic, you can check out the repo:

GitHub: https://github.com/Ilias1988/payload-obfuscator

(Friendly disclaimer: This tool is strictly for educational purposes, security research, and authorized penetration testing. Use it responsibly!)

I’d love to hear your thoughts on the code structure or the UI! Has anyone else here built security tools using modern frontend frameworks? Drop a comment below!

I Upgraded My Pentesting Toolkit: Introducing 2 Free Web Tools for Infosec 🛡️

Ilias Georgopoulos — Thu, 19 Mar 2026 16:01:00 +0000

Hey everyone! 👋

A while back, I shared my repository with 70+ hacking cheatsheets here, and the community response was awesome. Today, I'm super excited to share the next evolution of my personal cybersecurity toolkit.

As pentesters and CTF players, we value speed and efficiency. I found myself constantly looking up the same reverse shell commands or digging through various sites for Living Off The Land binaries. So, I decided to build my own solutions and just moved them to their own dedicated .dev domains.

Here is what I built to make our lives a bit easier:

1. 🐚 Web Reverse Shell Generator

Link: shellgenerator.dev

If you play CTFs or do active pentesting, you know the struggle of constantly tweaking reverse shells for different environments.
This is an advanced, browser-based payload generator built with React, Vite & Tailwind CSS.

What it does: Instantly generates Reverse, Bind, and MSFVenom payloads.
Features: Clean dark-mode UI, easy copy-paste functionality, and highly customizable LHOST/LPORT settings directly in your browser.

2. 🥷 LOLBins Interactive Reference

Link: livingofftheland.dev

Living off the land is essential for bypassing defenses and post-exploitation. I wanted a unified, interactive reference for LOLBAS & GTFOBins that doesn't just list commands, but actually helps you build them.

What it does: A dynamic directory of trusted binaries used for stealthy operations.
Features: Real-time search, interactive payload builder (just type your IP/Port once and it updates all commands), and direct MITRE ATT&CK mapping.

Both tools are completely free, open-source, and run smoothly in your browser.

I built these to solve my own workflow bottlenecks, but I hope you find them just as useful for your next engagement or CTF challenge! I would love to hear your feedback—what features should I add next?

If you find them helpful, feel free to drop a ⭐ on my GitHub repositories. You can also check out my other projects on my portfolio at ilias1988.me.

Happy hacking! 💻👾

I Built a Repository with 70+ Hacking Cheatsheets — Here’s Why It Matters

Ilias Georgopoulos — Wed, 18 Mar 2026 18:05:42 +0000

When I started learning cybersecurity, I quickly realized something:

👉 The problem isn’t lack of information — it’s fragmentation.

Every time I needed something simple like:

a reverse shell
a privilege escalation checklist
or a quick command reference

…I had to jump between multiple sources:

GTFOBins
LOLBAS
random GitHub repositories
outdated blog posts

It was slow, confusing, and inefficient.

🚀 So I decided to fix that

I created a centralized repository that contains 70+ hacking cheatsheets in one place.

👉 The goal is simple:
Make learning and practicing cybersecurity faster and more practical.

📚 What’s inside?

This repository includes cheatsheets for:

🔴 Offensive Security

Metasploit Framework
Mimikatz
Privilege Escalation (Linux & Windows)
Reverse shells & payloads

🌐 Web & Bug Bounty

SQL Injection (SQLMap)
XSS, SSTI, LFI
Burp Suite & OWASP ZAP
Recon tools like ffuf, httpx, Subfinder

📡 Networking & Enumeration

Nmap
SMB, LDAP, DNS enumeration
MITM techniques

🔓 Password Attacks

Hydra
John the Ripper
Hashcat

🛡️ Blue Team & Detection

Log analysis
SIEM basics
Threat hunting

☁️ Cloud, Mobile & More

AWS / Azure / GCP basics
Android & iOS testing
Docker & Kubernetes

⚡ Why this is useful

Instead of searching everywhere, you get:

✅ Quick command references

✅ Real-world examples

✅ Structured learning

✅ Offline access (Markdown format)

🔗 Check it out

If you're learning cybersecurity or doing CTFs / pentesting, this might help:

👉 https://github.com/Ilias1988/Hacking-Cheatsheets

🧠 Who is this for?

Beginners in cybersecurity
TryHackMe / HackTheBox users
Bug bounty hunters
Pentesters
Anyone who wants quick references

💡 Future plans

I plan to:

Add more advanced techniques
Expand Blue Team content
Improve methodology guides
Add more real-world scenarios

🤝 Contribute

If you want to contribute or improve something:

Open an issue
Submit a pull request
Suggest new cheatsheets

⚠️ Disclaimer

This content is for educational purposes only.

Always:

Use on systems you own
Have proper authorization

🔥 Final thoughts

Cybersecurity is hard — not because it's impossible, but because information is scattered.

This project is my attempt to simplify that.

⭐ If you find it useful, consider starring the repo!

Happy hacking — ethically. 🔴