Pentest Payload
Generator

Creates a ZIP archive containing highly compressible data. The compressed size is tiny but decompresses to a huge file, causing resource exhaustion.

Creates a ZIP archive containing entries with path traversal in the filename. When extracted without sanitization, files are written outside the target directory.

Creates a TAR archive containing symlink entries pointing to sensitive files. When extracted, the symlinks expose files outside the extraction directory.

Injects XML External Entity (XXE) payloads into DOCX files to test for XXE vulnerabilities in Word document parsers.

Generates PDF files with embedded JavaScript that executes when opened in Adobe Acrobat Reader.

Injects XML External Entity (XXE) payloads into PPTX files to test for XXE vulnerabilities in PowerPoint presentation parsers.

Injects XML External Entity (XXE) payloads into XLSX files to test for XXE vulnerabilities in spreadsheet parsers.

Injects payload strings into GIF89a comment extension blocks for testing image parsers.

Injects payload strings into JPEG COM (comment) markers for testing image parsers and metadata extraction.

Injects payload strings into PNG metadata text chunks (tEXt, iTXt, zTXt) for testing image parsers.

Generates SVG files with embedded XSS (script, onload, event handler) or XXE payloads for testing image upload and rendering pipelines.

Generates a file that is both a valid JPEG image and renderable HTML. Useful for testing content-type sniffing and dual-interpretation vulnerabilities.

Generates a file that is both a valid PDF document and valid JavaScript. When loaded via <script src>, the JS payload executes.

Generates a file that is both a valid PNG image and a valid ZIP archive. PNG parsers see the image; ZIP tools can extract embedded files.