$loading...
Everything you need to know about Payload Playground — 25 payload generators, 39 security tools, 26 cheat sheets, and a CLI with 57 commands. All free, all client-side.
Payload Playground is a free security testing toolkit that runs entirely in your browser. No sign-up, no installation, no data leaves your machine. Open any tool or generator and start using it immediately.
ppg xss -c alert -t attrGenerate XSS payloads for attribute contextsppg sqli -d mysql --technique unionMySQL UNION-based SQLi payloadsppg revshell -l 10.0.0.1 -p 4444 -s bashBash reverse shell one-linerppg encode -e base64 "test payload"Base64-encode a stringppg hash -a sha256 "password123"SHA-256 hash of a string39 free security tools organized by category. All run client-side with no data leaving your browser.
Subnet calc, SSRF bypass, format converter
Unix epoch, JWT timestamps, time math
Score vulnerabilities with all 8 base metrics
Eval unpacking, string recovery, hex unescape
Side-by-side or inline diff with char-level highlighting
25 payload generators across 6 categories. Each generates context-aware, copy-ready payloads for security testing.
26 copy-ready cheat sheets with categorized payloads, filter bypasses, and platform-specific variants.
Press ? anywhere on the site to see all available shortcuts.
Yes, 100% free. No account needed, no sign-up, no credit card. All 25 generators, 39 tools, and 26 cheat sheets are available immediately.
No. Everything runs 100% client-side in your browser. No input data is ever transmitted to any server. Your payloads, tokens, and test data never leave your machine.
Absolutely. Payload Playground is designed for CTF competitions, bug bounty programs, and authorized penetration testing. The generators cover the most common vulnerability categories you will encounter in CTFs and real-world engagements.
CyberChef is a general-purpose data transformation tool. Payload Playground is purpose-built for security testing: 25 payload generators, WAF bypass transformations, payload mutation engine (50+ mutations per payload), JWT attack templates, 26 security cheat sheets, and a pipe-friendly CLI. The Encoding Pipeline supports 286 operations including security-specific ones like WAF bypass encoding, AES-CBC, RC4, and Vigenere.
Use the CLI (payload-playground on npm) for scripting, piping output into other tools (e.g., ppg xss -c alert | httpx), and terminal-based workflows. Use the web interface for visual interaction, exploring options, and when you want to see results in real-time with syntax highlighting.
Yes. The CLI includes TTY detection — when piped into another command, it outputs clean text without colors or formatting. This makes it easy to chain with tools like httpx, nuclei, ffuf, and standard Unix utilities.
The Encoder/Decoder tool supports 31 encodings: Base64, URL, Hex, HTML entities, Unicode (\u), Octal, Binary, ROT13, Base32, ASCII85, Punycode, and more. The Encoding Pipeline extends this to 286 chainable operations including AES-CBC, RC4, Vigenere, Gzip, Deflate, HMAC-SHA256/512, CRC32, and analysis operations.
Yes. The Encoding Pipeline supports drag-and-drop operation chaining with intermediate results visible at each step. Build custom recipes, save presets, and share them via URL. Think CyberChef, but tailored for security testing.
The web interface works offline after the first page load since everything runs client-side in JavaScript. The CLI (npm install -g payload-playground) works fully offline with no internet required after installation.
Send feedback or report bugs via email at feedback@payloadplayground.com. Feature requests, bug reports, and suggestions are all welcome.