No accounts, no tracking, no server round-trips where it can be avoided. Pick a tool below — everything runs in your browser.
Decode JWT header and payload, flag alg:none and weak signing, edit claims and re-sign — or build and sign a brand-new token with HMAC, RSA, ECDSA, or RSA-PSS.
Chain Base64, Hex, URL, and HTML-entity encoding and decoding steps to build or unwrap obfuscated payloads.
Detect Unicode homoglyph/confusable characters in suspicious text (e.g. spoofed domains), or generate homoglyph-substituted lookalike strings.
Generate XSS payloads across basic to advanced WAF-bypass and encoding techniques, for reflected/stored or DOM-based contexts.
Build SQL injection payloads across MySQL, MSSQL, PostgreSQL, Oracle, and SQLite, with chainable info extraction, WAF-evasion obfuscation, and blacklist-character avoidance.
Generate reverse shell one-liners across Bash, Netcat, Python, PHP, Perl, Ruby, Socat, Awk, Telnet, Node.js, Lua, Golang, and PowerShell, with a matching listener command and save-as-file options.
Build msfvenom commands with template presets for Windows, Linux, macOS, and Android payloads, evasion encoders, and architectures — copy-ready, with a listener setup guide.
Generate candidate subdomain wordlists from a base domain, environment/service/region tokens, and your own keywords — dedup'd, capped, and ready to pipe into massdns/puredns/dnsx. No DNS lookups happen here.