Micah here. Recently, I’ve found several great resources for those of you that perform web application hacking/penetration testing. Most people are aware of the old RSnake XSS filter evasion cheat sheet now maintained and enhance by OWASP (https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet).
There are two other sites/web apps that can help too. One has a NSFW domain name but, as we are all adults here and it has a neat approach to XSS, I’ll post it. The http://www.jsfuck.com/ site uses only 6 characters in its payloads. Yup. 6. Check out the translation of the typical “alert(1)” payload in the picture below.
“Brutelogic” (https://twitter.com/brutelogic) created a Web Gun site (http://brutelogic.com.br/webgun/) that is pretty neat too. It is a bunch of drop down items that creates your proof of concept XSS payload. Really customizable and flexible. Check out the pic below.