Professional-grade security testing payloads. Currently supporting XSS fuzzing with 469 active vectors across 28 categories. Grammar-based generation for comprehensive coverage.
Built for professional penetration testers and security researchers
Generates syntactically valid payloads from production rules using context-free grammar, not random strings. Produces realistic attack vectors for comprehensive security testing.
Current implementation covers 28 XSS attack categories including mXSS, CSP bypass, DOM clobbering, prototype pollution, and modern browser quirks.
Production-ready FastAPI server with parallel generation, rate limiting, and comprehensive documentation.
API key authentication, PostgreSQL database, rate limiting, and AWS deployment ready. Built for enterprise security testing.
Docker containerized, Terraform infrastructure, CI/CD pipelines, and multi-environment deployment support.
Parallel payload generation with ThreadPoolExecutor, auto-scaling support, and comprehensive monitoring via CloudWatch.
Current implementation: 28 XSS categories covering 90%+ of modern attack surface
Generate payloads with a single HTTP request
curl -X POST https://api-staging.craft.exploit.design/payloads \
-H "Content-Type: application/json" \
-H "X-API-Key: your-api-key-here" \
-d '{
"count": 10,
"categories": ["csp_bypass", "dom_clobbering"],
"format": "json"
}'{
"count": 10,
"format": "json",
"payloads": [
{
"payload": "<svg/onload=alert(1)>",
"category": "svg_xss",
"metadata": {...}
},
...
]
}Secure API key authentication with PostgreSQL-backed key management and expiration
Parallel generation with ThreadPoolExecutor for high throughput
Filter by attack category or get random vectors from all 28 categories