Your Payload. Our Drop.
A self-contained HTML smuggling payload generator. Zero dependencies. Pure client-side.
RaccDrop generates self-contained HTML files that embed arbitrary files using various encoding and encryption techniques. When the generated HTML is opened in a browser, it automatically decodes the payload and triggers a download — no server required.
This is a technique known as HTML Smuggling, commonly used in red team engagements and security research to deliver payloads through web-based channels that bypass network-level inspection.
| Method | Description |
|---|---|
| CSS | Hides Base64 payload in a hidden <div> data attribute |
| XOR | XOR cipher with random key, output Base64-encoded |
| AES | AES-GCM encryption via Web Crypto API (256-bit, 12-byte IV) |
| RC4 | RC4 stream cipher with random key |
| Base64 | Simple Base64 encoding |
| Hex | Hex-encoded string |
| Reverse | Reversed string |
| CharCode | JSON array of character codes |
| Decimal | Decimal dot-separated char codes |
| Custom B64 | Custom shuffled Base64 alphabet |
| SVG | Payload hidden in an SVG data- attribute |
| Multi-layer | Chain any combination of the above methods |
- Select any file you want to deliver
- Choose an encoding/encryption method (or chain multiple)
- Execute the drop to generate a standalone HTML file
- The generated HTML decodes and delivers the original file when opened
No installation needed. Just open index.html in any modern browser.
Or visit the hosted version on GitHub Pages.
- Pure vanilla JavaScript (no frameworks, no libraries)
- Web Crypto API for AES-GCM encryption
- FileReader & Blob APIs for file handling
- Zero external dependencies
- No build step required
This tool is intended for authorized security testing and research purposes only. Misuse of this tool for unauthorized access or malicious activities is strictly prohibited. Always obtain proper authorization before conducting security assessments.
Built with raccoon energy

