$loading...
The one-stop toolkit for pentesters. 32 generators, 73 tools, 43 cheat sheets — XSS, SQLi, reverse shells, JWT attacks, encoding pipelines, and more. All processing happens locally.
73 tools — 286-operation encoding pipeline, JWT builder, hash generator, WAF bypass, OWASP checklist, and more.
Explore43 copy-ready cheat sheets — XSS, SQLi, SSRF, SSTI, JWT, WAF bypass, reverse shells, Linux/Windows PrivEsc, cloud attacks, and more.
ExploreIn-depth guides on XSS, reverse shells, SQLi, SSRF exploitation, and JWT attacks.
Readnpx payload-playground — all generators and pentester utilities in your terminal.
Everything you need for authorized penetration testing, bug bounties, and CTF competitions.
XSS, SQLi, reverse shells, SSRF, JWT, IDOR, race conditions, and 25 more — all in one toolkit.
All payloads generated locally in your browser. Nothing you create ever leaves your device.
No loading spinners. Payloads update in real-time as you configure.
Install via npm. Pipe output into scripts, CI/CD pipelines, and other tools.
Injection, Web, System, Auth, Protocol, and Data — organized for quick access.
Persist settings locally. Instantly recall complex payload configurations across sessions.
Build SQL injection payloads for MySQL, PostgreSQL, MSSQL, and more.
Craft NoSQL injection payloads for MongoDB and other databases.
Generate GraphQL injection payloads for introspection, batching, and query abuse.
Generate XPath injection payloads for authentication bypass and data extraction.
Generate LDAP injection payloads for authentication bypass and data extraction.
Craft Cross-Site Scripting payloads with encoding and tag options.
Craft Server-Side Request Forgery payloads with IP encoding tricks.
Generate malicious filenames and web shell content for upload testing.
Create SSTI payloads for Jinja2, Twig, Freemarker, and more.
Build prototype pollution payloads using __proto__ and constructor.
Craft open redirect payloads with protocol-relative and domain bypass tricks.
Generate CORS misconfiguration PoC payloads for reflected origin and subdomain bypass testing.
Generate Cross-Site Request Forgery PoC payloads with auto-submit forms, XHR, and clickjacking.
Generate WAF evasion payloads using encoding tricks, case variations, and alternative syntax.
Generate race condition PoC payloads with parallel curl, Turbo Intruder, async Python, and last-byte sync.
Generate cache poisoning payloads using unkeyed headers for XSS, DoS, and open redirect attacks.
Price manipulation, workflow bypass, race conditions, and privilege escalation payloads for business logic vulnerability testing.
Generate reverse shell one-liners for various languages and OS targets.
Create OS command injection payloads with separators and encoding.
Generate LFI traversal payloads with wrappers and encoding options.
Generate AWS, GCP, Azure, Kubernetes, and Docker attack payloads for metadata SSRF, IAM credential theft, and container escape.
Input your enumeration results to get targeted Linux and Windows privilege escalation commands.
Kubernetes RBAC abuse, container escape, AWS/GCP/Azure IAM privilege escalation chains for post-compromise cloud attacks.
iOS Frida scripts, Android ADB/intent fuzzing, certificate pinning bypass, and OWASP Mobile Top 10 testing payloads.
Create and sign JWT tokens with various algorithms including 'none'.
Generate Insecure Direct Object Reference testing payloads with sequential IDs, UUID tampering, and path traversal.
Generate Kerberoasting, AS-REP Roasting, Pass-the-Hash, DCSync, Golden Ticket, and lateral movement commands.
Generate CRLF injection payloads for header injection and response splitting.
Generate HTTP request smuggling payloads for CL.TE, TE.CL, and HTTP/2 downgrade attacks.
Generate CSWSH, injection, smuggling, and authentication bypass payloads for WebSocket testing.
No sign-up needed for free tools. Everything runs in your browser. Start generating payloads in seconds.