Out-of-band interaction console

Free OOB collaborator & blind XSS catcher

Generate a unique capture URL, drop it into your payloads, and watch SSRF, XXE, and blind XSS callbacks land in real time. No signup, no license — a hosted Burp Collaborator, Interactsh, and XSS Hunter alternative that runs on Cloudflare.

No signup HTTP + HTTPS Real-time feed Blind XSS beacon Free

What is an OOB collaborator?

An out-of-band application security testing (OAST) server gives you a unique URL that logs every request it receives. When you inject that URL into a target and a vulnerability makes the application call back — a blind, invisible bug suddenly becomes provable.

Many high-impact vulnerabilities produce no visible response: server-side request forgery (SSRF), XML external entities (XXE), blind SQL/command injection, and blind cross-site scripting (XSS). An OOB collaborator confirms them by capturing the outbound HTTP(S) request the target makes to your capture host — including headers, body, source IP, and geolocation.

Everything you need to catch a callback

Purpose-built for SSRF, XXE, and blind XSS testing during pentests and bug bounties.

Unique capture URLs

Every session gets its own subdomain. Any request to it — any method, path, or nested label — is logged with full detail.

Real-time feed

Callbacks stream to your dashboard instantly over a WebSocket. No polling, no refresh, no waiting.

Blind XSS beacon

A ready-made payload exfiltrates cookies, full DOM, page URL, referrer, user-agent, and an optional screenshot.

Custom response / PoC hosting

Serve your own HTML, a redirect, or any status and body from the capture host to chain exploits — while still logging every hit.

No signup, private by default

A session is an unguessable id plus a secret only you hold. Captures are readable only with the secret.

Auto-expiry

Idle sessions wipe themselves. Nothing lingers longer than it needs to.

How it works

From zero to a confirmed callback in under a minute.

Open a session

Launch the console and click New session. You get a capture host and ready-to-paste payloads.

Fire a payload

Drop the OOB URL or a blind-XSS payload into your target — a form field, header, XML entity, or parameter.

Watch it land

When the app calls back, the request appears live with headers, body, source IP, and geolocation.

httpcollab vs Burp Collaborator, Interactsh & XSS Hunter

An honest comparison. httpcollab focuses on free, instant, HTTP-based OOB and blind XSS.

Capability httpcollab Burp Collaborator Interactsh XSS Hunter
PriceFreePaid (Burp Pro)FreeFree
No signupYesn/aYesAccount
Runs in browserYesBurp appCLIYes
HTTP / HTTPS captureYesYesYesYes
Blind XSS beaconYesNoNoYes
Real-time feedYesPollingPollingYes
DNS / SMTP OOBNoYesYesNo
Self-hostCloudflarePrivate serverYesYes
Comparison for general guidance; features of third-party tools change over time.

Built for real findings

SSRF

Confirm server-side request forgery when the response gives nothing away — the server's callback to your host is the proof.

XXE

Trigger an external entity fetch to your capture URL to prove XML external entity processing.

Blind XSS

Fire a payload into admin panels, tickets, and dashboards; capture cookies, DOM, and a screenshot when it executes later.

Blind injection

Blind SQL, command, and template injection that can reach out over HTTP become detectable via the callback.

Webhook & API debugging

Point any integration at your capture host to inspect exactly what it sends.

PoC hosting

Serve a proof-of-concept page or redirect from your capture host to chain and demonstrate exploits.

Frequently asked questions

What is an out-of-band (OOB) collaborator?

An OOB collaborator (an OAST server) is a listening service with a unique URL. You inject that URL into an application; if a vulnerability like SSRF, XXE, or blind XSS causes the app to make an outbound connection, the collaborator logs it — proving the bug even when there is no visible response.

Is httpcollab free and does it need an account?

Yes. httpcollab is free and needs no signup. A session is an unguessable id plus a private secret used to read your captures. It runs on Cloudflare's free tier.

How is it different from Burp Collaborator?

httpcollab is free, browser-based, and needs no Burp license. It captures HTTP and HTTPS callbacks and blind XSS. Unlike Burp Collaborator it does not capture DNS or SMTP interactions, because it runs entirely on Cloudflare Workers, which only handle HTTP(S).

Does it support DNS-based OOB detection?

No. httpcollab captures HTTP and HTTPS callbacks and blind XSS only. DNS and SMTP out-of-band detection are not supported on the Cloudflare Workers platform.

What can I test with it?

SSRF, XXE, blind XSS, and blind injection bugs (SQL, command, template) that trigger an outbound HTTP request. You can also host a custom response or proof-of-concept page on your capture host.

Is it legal to use?

httpcollab is for authorized security testing only — your own systems, or targets you have explicit permission to test, such as a pentest engagement or a bug bounty program in scope. You are responsible for how you use it.

Start catching callbacks

Open a session in your browser. No signup, no install.

Launch the console →