Interactive, browser-based application security tools. Everything runs client-side — nothing you paste leaves your machine, and each tool works offline.

JWT Attack Playground

Forge and test JWT attacks hands-on: alg:none, RS256→HS256 algorithm confusion, weak-secret brute-force, and claim tampering — then fire your forged token at a configurable verifier to see exactly how a vulnerable vs. secure server responds. Pairs with the JWT security guide.

Open the JWT Attack Playground →

Deserialization Gadget Visualizer

Insecure deserialization, made visual: trace well-known gadget chains (ysoserial CommonsCollections, Groovy, Spring…) from readObject() entry to the Runtime.exec RCE sink as interactive node graphs, and disassemble Java / Python-pickle / PHP serialized blobs byte by byte. It only reads the wire format — never deserializes or executes. Pairs with the insecure deserialization guide.

Open the Deserialization Gadget Visualizer →

SSRF Target Simulator

Learn Server-Side Request Forgery by doing it: craft URL bypasses (decimal/hex IPs, IPv6, DNS rebinding, redirects) against a simulated internal network and a configurable defense, and watch exactly where the filter and the fetcher disagree. The goal is reaching the cloud metadata endpoint — and it’s 100% simulated, so it never makes a real request. Pairs with the SSRF guide.

Open the SSRF Target Simulator →