No accounts, no tracking, no server round-trips where it can be avoided. Pick a tool below — everything runs in your browser.
Decode JWT header and payload, flag alg:none and weak signing, edit claims and re-sign.
Identify a hash's likely type with ranked candidates and matching Hashcat mode numbers, or generate MD5, SHA-1, SHA-256, SHA-384, SHA-512, and NTLM hashes from text.
Chain Base64, Hex, URL, and HTML-entity encoding and decoding steps to build or unwrap obfuscated payloads.
Detect Unicode homoglyph/confusable characters in suspicious text (e.g. spoofed domains), or generate homoglyph-substituted lookalike strings.
Generate XSS payloads across basic to advanced WAF-bypass and encoding techniques, for reflected/stored or DOM-based contexts.
Build SQL injection payloads across MySQL, MSSQL, PostgreSQL, Oracle, and SQLite, with chainable info extraction, WAF-evasion obfuscation, and blacklist-character avoidance.