Get the proof you need to submit valid reports

Catch blind bugs,
that Burp Suite misses.

HTTP, DNS, SMTP and Blind XSS listeners for bug bounty hunters. Generate a callback, paste your payload, get notified when it fires.

Made for hunters working on major bug bounty platforms

Bugcrowd
HackerOne
YesWeHack
Start free
Go Pro
Free trial — listeners last 24h. Just hit generate, no signup.

Already have a Pro key? Paste it over the trial key below.

read docs →

Use a burner inbox if you like — email is optional and only alerts you when your listener catches something. Discord & Telegram alerts can be added later from your dashboard.

$39 / 30 days One key, unlimited listeners, zero subscription traps.
The first bug you confirm pays for years of this.
  • 90-day evidence retention — that blind XSS fires three weeks after you submit. On free it's already gone; on Pro it's still sitting in your feed, timestamped and report-ready.
  • Unlimited HTTP, DNS, SMTP & Blind XSS listeners — spin up one per target, no caps, no cooldowns, ever
  • Real-time alerts the instant a payload fires — Email, Discord & Telegram, plus a JSON API to wire into your own tooling
  • Weaponized file payloads — SVG, PDF, XXE & DTD files with your listener baked in. Drop them in an upload field and catch the callback
  • Full forensics per hit — headers, body, source IP, reverse DNS, ASN, geo & timing. Everything a triager needs to mark it valid
  • Anonymous by default — no logs, no email required, pay in crypto or PayPal
Get your key → start catching callbacks

Instant delivery · anonymous · no auto-renew, no subscription trap

HTTP callbacks DNS callbacks SMTP callbacks Blind XSS JSON API Ready payload files

Three steps to a callback

No setup, no server to host, no Burp Pro. Generate, inject, get notified.

1

Generate a listener

One click gives you a unique subdomain on *.pingback.sh plus ready-made HTTP, DNS, SMTP and Blind XSS payloads.

2

Drop it in your payload

Paste the callback URL into any suspicious sink — a profile field, a webhook config, an XML parser, a log line.

3

Get the ping

When the target bites, you get full headers, body, IP, geo and timing — instantly, with email, Discord or Telegram alerts.

This is what you get back

Report-ready evidence, not a screenshot. Every interaction is logged with the detail an H1 / Bugcrowd triager needs.

blind-xss · captured interaction live
type : blind-xss fired_at : 2026-05-31 14:02:09 UTC (18 days after injection) source_ip : 203.0.113.44 · AS13335 Cloudflare · US page_url : https://admin.target.com/support/ticket/8842 user_agent: Mozilla/5.0 (Windows NT 10.0) Chrome/124.0 cookies : session=•••••••• (captured) dom : <div class="admin-panel">… exfiltrated origin : https://admin.target.com

Built for bug hunters, not devs.

Most request bins are made for developers testing webhooks, mock APIs and integrations. PingBack.sh is made for hunters who need out-of-band evidence for real vulnerability reports.

Webhook / mock API tools

  • Debug webhook delivery
  • Inspect HTTP requests
  • Mock API responses
  • Replay integration traffic
  • Built for developers and QA teams

PingBack.sh

  • Catch HTTP, DNS, SMTP and Blind XSS callbacks
  • Generate bug bounty payloads instantly
  • Download pre-built SSRF, XXE, SVG and PDF files
  • Collect headers, body, IP, ASN, geo and timing evidence
  • Built for security researchers and bounty reports

PingBack.sh vs the leaders

RequestBin, Beeceptor and Interactsh are useful tools — but they solve different problems. PingBack.sh focuses on the bug bounty workflow: fast listeners, practical payloads and report-ready OOB evidence.

Feature PingBack.sh RequestBin Beeceptor Interactsh
HTTP callback captureYesYesYesYes
DNS callback captureYesNoNoYes
SMTP callbacksYesNoNoPartial
Blind XSS payloadYesNoNoManual
Ready-made XXE payloadsYesNoNoManual
SVG / PDF / PNG payload filesYesNoNoNo
Bug bounty-focused use casesYesNoNoSecurity
Mock API / fake endpointsNoBasicYesNo
Request replay / editingNoYesYesNo
No signup requiredYesDependsYesYes
Main audienceBug bounty huntersDevelopersDevelopers / QASecurity testers
RequestBin captures webhooks.
Beeceptor mocks APIs.
Interactsh catches interactions.

PingBack.sh gives bug bounty hunters ready-to-use payloads to prove real-world impact.

What you can detect

Bug classes, organized by the protocol you'll see fire in your dashboard.

HTTP / HTTPS6 bug classes
  • Server-Side Request Forgery (SSRF)
  • Cloud metadata exfiltration
  • Webhook destination abuse
  • OAuth redirect_uri smuggling
  • PDF / image renderer SSRF
  • CI/CD secrets exfiltration
DNS5 bug classes
  • log4j / JNDI lookups
  • Blind SSRF behind egress firewalls
  • SSTI (Server-Side Template Injection)
  • Command injection (OOB confirmation)
  • XXE data exfiltration
Blind XSS4 bug classes
  • Admin panel XSS via user input
  • Support ticket / CRM injection
  • Filename / upload listing XSS
  • SVG-based stored XSS
SMTP4 bug classes
  • Password reset email enumeration
  • Email verification bypass
  • Invitation system abuse
  • Webhook event leak

Every request to *.pingback.sh is logged with full headers, body, source IP, geo and ASN. XSS payloads capture cookies, DOM, localStorage and origin. DNS queries are captured at the authoritative nameserver — no recursion, no waiting.

Start free. Go Pro the day a callback lands you a bounty.

Free 24h trial to kick the tyres · then $39 / 30 days for unlimited listeners, 90-day evidence retention and instant alerts. Pay in crypto or PayPal — instant, anonymous, no auto-renew.

See Pro pricing →