Cross-Site Scripting (XSS) Practice Test File (CSV)
===================================================

This is a synthetic, defender-focused dataset for practicing machine-learning defenses against Cross-Site Scripting (XSS) attacks.
Each row represents a web request/input event with derived payload features.

label:
  0 = normal input/request
  1 = XSS injection attempt

Columns
-------
request_id
  Unique request identifier.

timestamp_utc
  Request timestamp in UTC (ISO-8601).

source_ip
  Source IP address (synthetic).

http_method
  HTTP method (GET or POST).

endpoint
  Application endpoint receiving the input (e.g., /comments, /search).

payload
  The submitted input string (synthetic). Contains benign text for label=0 and marker-like script patterns for label=1.

payload_length
  Length of the payload string.

script_tag_count
  Count of <script / </script markers observed in the payload (case-insensitive).

js_keyword_count
  Count of JavaScript-related keywords (e.g., document, cookie, window, onerror, onload, fetch, eval).

xss_marker_count
  Count of common XSS markers (e.g., javascript:, onerror=, onload=, <img, <svg, src=, href=).

special_char_count
  Count of special characters commonly seen in injection payloads (< > " ' / = ; ( ) & # : ).

payload_entropy
  Shannon entropy of the payload; higher values can indicate obfuscation/encoding.

url_encoding_ratio
  Fraction of the payload comprised of percent-encoded bytes (e.g., %3C).

encoding_anomaly_flag
  1 if the payload shows encoding patterns often used in obfuscation (percent-encoding or HTML entities).

suspicious_pattern_flag
  1 if the payload matches common suspicious patterns (marker/script indicators), else 0.

response_code
  HTTP response code returned by the application/WAF (synthetic). Attacks may be blocked (403) or cause errors (400/500).

Suggested Practice Tasks
------------------------
1) Train a baseline classifier to predict label.
2) Evaluate with Precision/Recall and PR-AUC (false positives matter for user-facing apps).
3) Compare text-vector models (TF-IDF on payload) vs feature-only models (counts/entropy/encoding).
4) Tune an alert threshold to balance blocking vs false positives.
5) Use feature importance/SHAP to understand which payload signals drive detections.