OOB testing built for bug bounty

Your payload fires.
We catch it.

OOB callbacks for SSRF, XXE, blind XSS and log4j-style bugs. Built for hunters who report findings, not screenshots.

get pinged the moment your payload fires — optional, but you'll want it

private label
read docs →
HTTP callbacks DNS callbacks SMTP callbacks Blind XSS No signup Ready payload files

Not another webhook catcher.

Most request bins are made for developers testing webhooks, mock APIs and integrations. PingBack.sh is made for hunters who need out-of-band evidence for real vulnerability reports.

Webhook / mock API tools

  • Debug webhook delivery
  • Inspect HTTP requests
  • Mock API responses
  • Replay integration traffic
  • Built for developers and QA teams

PingBack.sh

  • Catch HTTP, DNS, SMTP and Blind XSS callbacks
  • Generate bug bounty payloads instantly
  • Download pre-built SSRF, XXE, SVG and PDF files
  • Collect headers, body, IP, ASN, geo and timing evidence
  • Built for security researchers and bounty reports

PingBack.sh vs the leaders

RequestBin, Beeceptor and Interactsh are useful tools — but they solve different problems. PingBack.sh focuses on the bug bounty workflow: fast listeners, practical payloads and report-ready OOB evidence.

Feature PingBack.sh RequestBin Beeceptor Interactsh
HTTP callback captureYesYesYesYes
DNS callback captureYesNoNoYes
SMTP callbacksYesNoNoPartial
Blind XSS payloadYesNoNoManual
Ready-made XXE payloadsYesNoNoManual
SVG / PDF / PNG payload filesYesNoNoNo
Bug bounty-focused use casesYesNoNoSecurity
Mock API / fake endpointsNoBasicYesNo
Request replay / editingNoYesYesNo
No signup requiredYesDependsYesYes
Main audienceBug bounty huntersDevelopersDevelopers / QASecurity testers
RequestBin captures webhooks.
Beeceptor mocks APIs.
Interactsh catches interactions.

PingBack.sh gives bug bounty hunters ready-to-use payloads to prove real-world impact.

What you can detect

Bug classes, organized by the protocol you'll see fire in your dashboard.

HTTP / HTTPS6 bug classes
  • Server-Side Request Forgery (SSRF)
  • Cloud metadata exfiltration
  • Webhook destination abuse
  • OAuth redirect_uri smuggling
  • PDF / image renderer SSRF
  • CI/CD secrets exfiltration
DNS5 bug classes
  • log4j / JNDI lookups
  • Blind SSRF behind egress firewalls
  • SSTI (Server-Side Template Injection)
  • Command injection (OOB confirmation)
  • XXE data exfiltration
Blind XSS4 bug classes
  • Admin panel XSS via user input
  • Support ticket / CRM injection
  • Filename / upload listing XSS
  • SVG-based stored XSS
SMTP4 bug classes
  • Password reset email enumeration
  • Email verification bypass
  • Invitation system abuse
  • Webhook event leak

Every request to *.pingback.sh is logged with full headers, body, source IP, geo and ASN. XSS payloads capture cookies, DOM, localStorage and origin. DNS queries are captured at the authoritative nameserver — no recursion, no waiting.