Craft
Payload Generator

Grammar-based fuzzing payloads for comprehensive security testing. XSS available now with 469 active vectors across 28 categories. SQL, Command, and NoSQL injection coming soon.

craft-api-demo.sh

$ ▊

# Response (200 OK)

⚡ Live preview • Payloads rotate every 8 seconds

Request API Access View Documentation

469

Active Vectors

Payload Coverage

Comprehensive fuzzing payloads across multiple injection types

mXSS (Mutation XSS) ✓
CSP Bypass ✓
DOM Clobbering ✓
Prototype Pollution ✓
Template Injection ✓
Unicode Normalization ✓
SVG/MathML XSS ✓
Dangling Markup ✓
Event Handlers ✓
HTML Injection ✓
Attribute Injection ✓
JavaScript Context ✓
CSS Injection ✓
URL Injection ✓
DOM-Based XSS ✓
Polyglot XSS ✓
postMessage XSS ✓
Service Worker XSS ✓
Script Gadgets ✓
JSONP XSS ✓
Sanitizer Bypass ✓
Trusted Types Bypass ✓
Shadow DOM XSS ✓
WebAssembly XSS ✓
Import Map Hijacking ✓
NoSQL Injection → XSS ✓
Mobile WebView XSS ✓
Browser Extension XSS ✓

Currently showing 8 advanced techniques

UNION-based SQLi ⋯
Boolean-based Blind SQLi ⋯
Time-based Blind SQLi ⋯
Error-based SQLi ⋯
Stacked Queries ⋯
Second-Order SQLi ⋯

Shell Metacharacters ⋯
Command Chaining ⋯
Command Substitution ⋯
Inline Execution ⋯
Path Traversal ⋯
Environment Variable Injection ⋯

MongoDB Operator Injection ⋯
JavaScript Injection ⋯
NoSQL Tautologies ⋯
JSON Injection ⋯

Why Craft?

Built for professional penetration testers and security researchers

Grammar-Based Generation

Generates syntactically valid payloads from production rules using context-free grammar, not random strings. Produces realistic attack vectors for comprehensive security testing.

Multi-Injection Coverage

Comprehensive payload generation across multiple injection types. XSS available now with 28 categories (mXSS, CSP bypass, DOM clobbering, etc.). SQL, Command, and NoSQL injection in development.

REST API

FastAPI server with parallel generation, rate limiting, and comprehensive documentation.

Simple REST API

Generate fuzzing payloads with a single HTTP request. XSS available now, more types coming soon.

POST /payloads

curl -X POST https://api-staging.craft.exploit.design/payloads \
  -H "Content-Type: application/json" \
  -H "X-API-Key: your-api-key-here" \
  -d '{
    "count": 10,
    "categories": ["csp_bypass", "dom_clobbering"],
    "format": "json"
  }'

Response:

{
  "count": 10,
  "format": "json",
  "payloads": [
    {
      "payload": "<svg/onload=alert(1)>",
      "category": "svg_xss",
      "metadata": {...}
    },
    ...
  ]
}

Authenticated

Secure API key authentication with PostgreSQL-backed key management and expiration

Fast

Parallel generation with ThreadPoolExecutor for high throughput

Categorized

Filter by attack category or get random vectors from all 28 categories

Craft Payload Generator