Changelog

Version history for Payload Playground. Track new tools, generators, CLI updates, and improvements.

v1.6.0

2026-03-10Latest

6 New CLI Commands + Fingerprint DB Accuracy Overhaul

-57 total CLI commands — 24 generators + 33 utilities
-Subdomain takeover fingerprint database corrected per can-i-take-over-xyz 2024

Added

-CLI: takeover — check subdomains against 38 service fingerprints for CNAME-based takeover
-CLI: gql-recon — GraphQL introspection, batching, injection, DoS, and field fuzzing payloads
-CLI: ssti-id — identify template engine from probe output and print RCE payloads
-CLI: oauth — generate OAuth 2.0 / OIDC attack URLs (redirect bypass, CSRF, PKCE downgrade)
-CLI: owasp — print OWASP Top 10 test checklist by tech stack
-CLI: finding — output pentest finding report templates in Markdown

Fixed

-Subdomain takeover: corrected 18 fingerprints — GitHub Pages, Heroku, Fastly, Shopify, and 14 others now correctly marked as patched
-Campaign Monitor correctly flipped to vulnerable (was wrongly marked patched)
-Added explainer to fingerprint database clarifying it is not a list of vulnerable websites

v1.5.0

2026-03-09

AI Payload Mutator + OWASP Checklist + 4 New Tools

-26 total web tools — 7 new tools added
-AI-powered payload mutation via DeepSeek

Added

-AI Payload Mutator — generate context-aware payload variations using DeepSeek AI
-SSTI Identifier & Payload Builder — detect template engine and get RCE payloads
-OWASP Top 10 Checklist Generator — customizable checklist by tech stack
-Pentest Findings Documenter — structured vulnerability report builder
-OAuth/OIDC Attack Wizard — redirect URI bypass, PKCE downgrade, token leak testing
-GraphQL Security Tester — introspection, batching, injection, and DoS payloads
-Subdomain Takeover Checker — 38 service fingerprints with claim instructions

v1.4.0

2026-03-09

14 New CLI Commands + Full Web/CLI Parity

-51 total CLI commands — 24 generators + 27 utilities
-Full parity between web tools and CLI

Added

-CLI: regex — test regex patterns against text with global/case-insensitive/multiline flags
-CLI: password — generate secure passwords and passphrases with configurable charsets
-CLI: timestamp — convert between Unix epoch, ISO 8601, UTC, and local time
-CLI: cvss — calculate CVSS 3.1 base scores from vector strings
-CLI: deobfuscate — deobfuscate JavaScript (hex/unicode/octal/fromCharCode/atob)
-CLI: msfvenom — generate msfvenom commands for 8 platforms
-CLI: waf-transform — chain encoding transforms for WAF bypass
-CLI: diff — compare two files or strings with colored diff output
-CLI: favicon-hash — MurmurHash3 favicon hash for Shodan recon
-CLI: csp — evaluate Content Security Policy headers for misconfigurations
-CLI: dork — generate Google/Shodan/GitHub/Censys search dorks
-CLI: http-parse — parse raw HTTP requests/responses with header/cookie/auth extraction
-CLI: mutate — generate 50+ payload mutations with auto-detection
-CLI: chain-solve — auto-detect and recursively decode multi-layer encoding

v1.3.0

2026-03-08

Payload Mutator + HTTP Parser + Smart Paste Hub

-Payload Mutator — auto-generate 50+ WAF bypass mutations from any payload
-HTTP Request/Response Parser with security analysis
-Smart Paste Hub — universal auto-detection for any pasted string
-Regex from examples — auto-generate patterns from sample strings

Added

-Payload Mutator Engine — auto-detects 7 payload types (XSS, SQLi, CMDi, traversal, SSTI, XXE, SSRF), generates type-specific mutations
-HTTP Request/Response Parser — 4 tabs (Parse, Compare, Convert, History), injection point detection, code generation
-Smart Paste Hub — 15 detection rules, confidence badges, "Open in [Tool]" buttons on the Tools page
-Regex from Examples — provide positive/negative examples, generates 7 candidate regex patterns

Improved

-WAF Bypass tool rewritten as comprehensive bypass platform — 9 WAF profiles, 200+ variants, transform chain builder
-JWT Decoder upgraded with OAuth2/OIDC templates (Auth0, Okta, Cognito, Azure AD, Google, Firebase), 17 attack templates, JWKS generator, batch decode, algorithm reference
-Password Generator upgraded — 5 tabs, pronounceable/passphrase/pattern modes, NIST/PCI-DSS/HIPAA/OWASP policy checking, batch audit
-Header Analyzer upgraded — 27 headers, 6 tabs, CORS detection, cookie analysis, info disclosure, header comparison, code generation
-Encoding Pipeline auto-solve — visual chain display with colored step badges, confidence bars

v1.2.0

2026-03-07

8 New Tools + Major Tool Upgrades

-19 total web tools (was 11)
-8 new tools: CVSS Calculator, JS Deobfuscator, MSFVenom Builder, WAF Bypass, Text Diff, Favicon Hash, CSP Evaluator, Dork Generator
-Encoding Pipeline expanded to 193 operations

Added

-CVSS 3.1 Calculator — all 8 base metrics, severity ratings, metric breakdown
-JavaScript Deobfuscator — hex/unicode/octal unescape, fromCharCode, atob, eval resolution
-MSFVenom Builder — 8 platforms, encoder/iteration support, format options
-WAF Bypass tool — 9 WAF profiles, 200+ bypass variants, transform chain builder
-Text Diff — LCS-based line diff with colored output, file upload support
-Favicon Hash Calculator — MurmurHash3 for Shodan recon
-CSP Evaluator — directive parsing, unsafe-inline/eval/wildcard detection
-Dork Generator — Google/Shodan/GitHub/Censys, 50+ templates, operator reference

Improved

-Encoding Pipeline expanded from 72 to 193 operations with 5 new preset recipes
-IP Calculator — IPv6 support, subnet map, expanded SSRF bypasses, port reference, range-to-CIDR
-Regex Tester — explanation panel, visual builder, debugger, 52 pentest patterns
-Encoder/Decoder upgraded to 31 encodings with byte inspector and Shannon entropy
-Hash tool — 6 non-crypto algorithms, salted hashing, export, multi-file, weak hash detection

v1.1.0

2026-03-05

Blog, Cheatsheets, SEO Overhaul

-16 SEO-optimized blog articles
-22 cheat sheets (15 new)
-RSS feed, social sharing, comparison pages

Added

-16 blog articles covering XSS, SQLi, reverse shells, SSRF, JWT, WAF bypass, file upload, SSTI, command injection, NoSQL injection, LDAP injection, IDOR, race conditions, XPath, CORS
-15 new cheat sheets: SSRF, SSTI, XXE, CSRF, JWT attacks, file upload, open redirect, NoSQL injection, IDOR, prototype pollution, CRLF injection, WAF bypass, HTTP smuggling, deserialization, CORS
-RSS feed at /blog/feed.xml with autodiscovery
-Social sharing buttons on blog posts and cheatsheets
-SEO comparison pages: /alternatives (CyberChef), /alternatives/revshells, /alternatives/hacktricks
-IndexNow submissions to Bing/Yandex/Seznam
-FAQPage JSON-LD on tools, cheatsheets, CLI, blog, encoding pipeline pages
-BreadcrumbList JSON-LD structured data across all pages
-Security glossary page

Improved

-Footer with glowing divider, category nav links, tool links, blog link
-Header with Tools + Cheat Sheets + Blog + CLI links, glassmorphism styling
-Command palette with cycling animated placeholder suggestions

v1.0.0

2026-03-01

Initial Release

-24 payload generators across 6 categories
-11 web tools
-CLI with 24 generators + 6 utilities
-5 cheat sheets

Added

-24 payload generators: XSS, SQLi, Reverse Shell, SSRF, SSTI, LFI, XXE, CMDi, File Upload, Open Redirect, CORS, NoSQL, JWT, Prototype Pollution, CRLF, GraphQL, XPath, LDAP, HTTP Smuggling, CSRF, WAF Bypass, IDOR, Race Condition, Deserialization
-11 web tools: Encoding Pipeline (72+ ops), Encoder/Decoder, Hash Generator, JWT Decoder, Regex Tester, Header Analyzer, Password Generator, IP Calculator, Timestamp Converter
-CLI (npm: payload-playground) with 24 generators and 6 utilities
-5 cheat sheets: XSS, SQL Injection, Reverse Shells, Command Injection, LFI/Path Traversal
-Reverse shell generator with 30 shell types, listener commands, and stabilization
-Animated grid background, cursor spotlight, terminal preview, command palette
-Dark/light theme, responsive design, keyboard shortcuts
-JSON-LD structured data, SEO metadata, OG images for all pages
-Pre-commit hooks with ESLint and Jest

$loading...