Everything you need to know about Payload Playground — 32 payload generators, 83 security tools, 97 cheat sheets, and a CLI with 57 commands. All tools free, all client-side. Optional Pro plan for AI features.
Payload Playground is a free security testing toolkit that runs entirely in your browser. No sign-up needed for free tools, no installation, no data leaves your machine. Open any tool or generator and start using it immediately.
ppg xss -c alert -t attrGenerate XSS payloads for attribute contextsppg sqli -d mysql --technique unionMySQL UNION-based SQLi payloadsppg revshell -l 10.0.0.1 -p 4444 -s bashBash reverse shell one-linerppg encode -e base64 "test payload"Base64-encode a stringppg hash -a sha256 "password123"SHA-256 hash of a string83 free security tools organized by category. All run client-side with no data leaving your browser.
Subnet calc, SSRF bypass, format converter
Unix epoch, JWT timestamps, time math
Score vulnerabilities with all 8 base metrics
Eval unpacking, string recovery, hex unescape
Side-by-side or inline diff with char-level highlighting
32 payload generators across 6 categories. Each generates context-aware, copy-ready payloads for security testing.
97 copy-ready cheat sheets with categorized payloads, filter bypasses, and platform-specific variants.
Press ? anywhere on the site to see all available shortcuts.
All 32 generators, 83 tools, and 97 cheat sheets are free — no sign-up needed. Optional AI features require a Pro account ($12/mo).
All tools run 100% client-side in your browser. Your payloads, tokens, and test data never leave your machine. Pro AI features send your payload to our AI service for analysis. All other tools remain 100% client-side.
Absolutely. Payload Playground is designed for CTF competitions, bug bounty programs, and authorized penetration testing. The generators cover the most common vulnerability categories you will encounter in CTFs and real-world engagements.
CyberChef is a general-purpose data transformation tool. Payload Playground is purpose-built for security testing: 32 payload generators, WAF bypass transformations, payload mutation engine (50+ mutations per payload), JWT attack templates, 97 security cheat sheets, and a pipe-friendly CLI. The Encoding Pipeline supports 286 operations including security-specific ones like WAF bypass encoding, AES-CBC, RC4, and Vigenere.
Use the CLI (payload-playground on npm) for scripting, piping output into other tools (e.g., ppg xss -c alert | httpx), and terminal-based workflows. Use the web interface for visual interaction, exploring options, and when you want to see results in real-time with syntax highlighting.
Yes. The CLI includes TTY detection — when piped into another command, it outputs clean text without colors or formatting. This makes it easy to chain with tools like httpx, nuclei, ffuf, and standard Unix utilities.
The Encoder/Decoder tool supports 31 encodings: Base64, URL, Hex, HTML entities, Unicode (\u), Octal, Binary, ROT13, Base32, ASCII85, Punycode, and more. The Encoding Pipeline extends this to 286 chainable operations including AES-CBC, RC4, Vigenere, Gzip, Deflate, HMAC-SHA256/512, CRC32, and analysis operations.
Yes. The Encoding Pipeline supports drag-and-drop operation chaining with intermediate results visible at each step. Build custom recipes, save presets, and share them via URL. Think CyberChef, but tailored for security testing.
The web interface works offline after the first page load since everything runs client-side in JavaScript. The CLI (npm install -g payload-playground) works fully offline with no internet required after installation.
Send feedback or report bugs via email at [email protected]. Feature requests, bug reports, and suggestions are all welcome.