Get the proof you need to submit valid reports

Every missed callback is
a bounty you never submit.

PingBack helps bug bounty hunters confirm Blind SSRF, XXE, Blind XSS and other out-of-band vulnerabilities with real-world evidence. Generate a listener in seconds, get notified when it fires, and turn blind bugs into valid reports.

I have a key

I need a hunting key

read docs →

Email, Discord & Telegram alerts can be added later from your dashboard.

$5 / month One key = Unlimited listeners
(less than what you'd spend on a Big Mac🍔🍟)

Unlimited HTTP, DNS, SMTP & Blind XSS listeners
Ready-made payloads + pre-built SVG / PDF / XXE files
Full headers, body, IP, ASN, geo & timing capture
Email, Discord & Telegram alerts + JSON API
No-log dashboard — we never ask for your email

Get your key → Start Catching Callbacks

Instant delivery · anonymous · no subscription auto-renew

HTTP callbacks DNS callbacks SMTP callbacks Blind XSS JSON API Ready payload files

listener live

—

active for 30 days

Save this dashboard URL now

It's the only way to access your captures. We don't have your email.

—

open dashboard →

What to do next

↓ save dashboard details downloads a .txt with your dashboard URL, token and every payload (including the pre-built files). Store it safely — it's the only way back in.
open dashboard → opens your live capture feed in a new tab. Keep it open to watch callbacks arrive in real time.

💡 Tip: bookmark the dashboard URL too. There's no password recovery — the URL is your login.

Payloads for this listener

copy or download

Ready-to-use payloads

click copy

HTTP / HTTPS SSRF, webhooks, image proxies

—

DNS log4j, blind injections, firewalled SSRF

—

Blind XSS admin panels, support tickets, profile fields

—

SMTP password resets, invitations, contact forms

—

log4j JNDI log4shell-style header injection

—

filename upload listing XSS, file rename attacks

—

CSV / formula spreadsheet export, Excel callbacks

—

Pre-built file payloads

listener pre-embedded

Upload these ready-made files to test image parsers, document renderers, XML processors and upload pipelines. Your listener URL is baked in server-side.

🖼SVGimage parser SSRF ⚡SVG XSSinline render XSS 🌄PNGURL in metadata 🎞GIFURL in comment 📄PDFURI + open action 📃HTMLupload XSS test 📑XMLXXE external entity 🧬DTDblind XXE exfil

read the docs →

Three steps to a callback

No setup, no server to host, no Burp Pro. Generate, inject, get notified.

Generate a listener

One click gives you a unique subdomain on *.pingback.sh plus ready-made HTTP, DNS, SMTP and Blind XSS payloads.

Drop it in your payload

Paste the callback URL into any suspicious sink — a profile field, a webhook config, an XML parser, a log line.

Get the ping

When the target bites, you get full headers, body, IP, geo and timing — instantly, with email, Discord or Telegram alerts.

This is what you get back

Report-ready evidence, not a screenshot. Every interaction is logged with the detail an H1 / Bugcrowd triager needs.

blind-xss · captured interaction live

type : blind-xss fired_at : 2026-05-31 14:02:09 UTC (18 days after injection) source_ip : 203.0.113.44 · AS13335 Cloudflare · US page_url : https://admin.target.com/support/ticket/8842 user_agent: Mozilla/5.0 (Windows NT 10.0) Chrome/124.0 cookies : session=•••••••• (captured) dom : <div class="admin-panel">… exfiltrated origin : https://admin.target.com

Built for bug hunters, not devs.

Most request bins are made for developers testing webhooks, mock APIs and integrations. PingBack.sh is made for hunters who need out-of-band evidence for real vulnerability reports.

Webhook / mock API tools

Debug webhook delivery
Inspect HTTP requests
Mock API responses
Replay integration traffic
Built for developers and QA teams

PingBack.sh

Catch HTTP, DNS, SMTP and Blind XSS callbacks
Generate bug bounty payloads instantly
Download pre-built SSRF, XXE, SVG and PDF files
Collect headers, body, IP, ASN, geo and timing evidence
Built for security researchers and bounty reports

PingBack.sh vs the leaders

RequestBin, Beeceptor and Interactsh are useful tools — but they solve different problems. PingBack.sh focuses on the bug bounty workflow: fast listeners, practical payloads and report-ready OOB evidence.

Feature	PingBack.sh	RequestBin	Beeceptor	Interactsh
HTTP callback capture	Yes	Yes	Yes	Yes
DNS callback capture	Yes	No	No	Yes
SMTP callbacks	Yes	No	No	Partial
Blind XSS payload	Yes	No	No	Manual
Ready-made XXE payloads	Yes	No	No	Manual
SVG / PDF / PNG payload files	Yes	No	No	No
Bug bounty-focused use cases	Yes	No	No	Security
Mock API / fake endpoints	No	Basic	Yes	No
Request replay / editing	No	Yes	Yes	No
No signup required	Yes	Depends	Yes	Yes
Main audience	Bug bounty hunters	Developers	Developers / QA	Security testers

RequestBin captures webhooks.
Beeceptor mocks APIs.
Interactsh catches interactions.

PingBack.sh gives bug bounty hunters ready-to-use payloads to prove real-world impact.

What you can detect

Bug classes, organized by the protocol you'll see fire in your dashboard.

HTTP / HTTPS6 bug classes

Server-Side Request Forgery (SSRF)
Cloud metadata exfiltration
Webhook destination abuse
OAuth redirect_uri smuggling
PDF / image renderer SSRF
CI/CD secrets exfiltration

DNS5 bug classes

log4j / JNDI lookups
Blind SSRF behind egress firewalls
SSTI (Server-Side Template Injection)
Command injection (OOB confirmation)
XXE data exfiltration

Blind XSS4 bug classes

Admin panel XSS via user input
Support ticket / CRM injection
Filename / upload listing XSS
SVG-based stored XSS

SMTP4 bug classes

Password reset email enumeration
Email verification bypass
Invitation system abuse
Webhook event leak

Every request to *.pingback.sh is logged with full headers, body, source IP, geo and ASN. XSS payloads capture cookies, DOM, localStorage and origin. DNS queries are captured at the authoritative nameserver — no recursion, no waiting.

Get your key. Start catching callbacks today.

$99 / year · unlimited listeners · pay in crypto · instant, anonymous delivery.

Get your key →

Every missed callback isa bounty you never submit.