Generate a unique capture URL, drop it into your payloads, and watch SSRF, XXE, and blind XSS callbacks land in real time. No signup, no license — a hosted Burp Collaborator, Interactsh, and XSS Hunter alternative that runs on Cloudflare.
An out-of-band application security testing (OAST) server gives you a unique URL that logs every request it receives. When you inject that URL into a target and a vulnerability makes the application call back — a blind, invisible bug suddenly becomes provable.
Many high-impact vulnerabilities produce no visible response: server-side request forgery (SSRF), XML external entities (XXE), blind SQL/command injection, and blind cross-site scripting (XSS). An OOB collaborator confirms them by capturing the outbound HTTP(S) request the target makes to your capture host — including headers, body, source IP, and geolocation.
Purpose-built for SSRF, XXE, and blind XSS testing during pentests and bug bounties.
Every session gets its own subdomain. Any request to it — any method, path, or nested label — is logged with full detail.
Callbacks stream to your dashboard instantly over a WebSocket. No polling, no refresh, no waiting.
A ready-made payload exfiltrates cookies, full DOM, page URL, referrer, user-agent, and an optional screenshot.
Serve your own HTML, a redirect, or any status and body from the capture host to chain exploits — while still logging every hit.
A session is an unguessable id plus a secret only you hold. Captures are readable only with the secret.
Idle sessions wipe themselves. Nothing lingers longer than it needs to.
From zero to a confirmed callback in under a minute.
Launch the console and click New session. You get a capture host and ready-to-paste payloads.
Drop the OOB URL or a blind-XSS payload into your target — a form field, header, XML entity, or parameter.
When the app calls back, the request appears live with headers, body, source IP, and geolocation.
An honest comparison. httpcollab focuses on free, instant, HTTP-based OOB and blind XSS.
| Capability | httpcollab | Burp Collaborator | Interactsh | XSS Hunter |
|---|---|---|---|---|
| Price | Free | Paid (Burp Pro) | Free | Free |
| No signup | Yes | n/a | Yes | Account |
| Runs in browser | Yes | Burp app | CLI | Yes |
| HTTP / HTTPS capture | Yes | Yes | Yes | Yes |
| Blind XSS beacon | Yes | No | No | Yes |
| Real-time feed | Yes | Polling | Polling | Yes |
| DNS / SMTP OOB | No | Yes | Yes | No |
| Self-host | Cloudflare | Private server | Yes | Yes |
Confirm server-side request forgery when the response gives nothing away — the server's callback to your host is the proof.
Trigger an external entity fetch to your capture URL to prove XML external entity processing.
Fire a payload into admin panels, tickets, and dashboards; capture cookies, DOM, and a screenshot when it executes later.
Blind SQL, command, and template injection that can reach out over HTTP become detectable via the callback.
Point any integration at your capture host to inspect exactly what it sends.
Serve a proof-of-concept page or redirect from your capture host to chain and demonstrate exploits.
An OOB collaborator (an OAST server) is a listening service with a unique URL. You inject that URL into an application; if a vulnerability like SSRF, XXE, or blind XSS causes the app to make an outbound connection, the collaborator logs it — proving the bug even when there is no visible response.
Yes. httpcollab is free and needs no signup. A session is an unguessable id plus a private secret used to read your captures. It runs on Cloudflare's free tier.
httpcollab is free, browser-based, and needs no Burp license. It captures HTTP and HTTPS callbacks and blind XSS. Unlike Burp Collaborator it does not capture DNS or SMTP interactions, because it runs entirely on Cloudflare Workers, which only handle HTTP(S).
No. httpcollab captures HTTP and HTTPS callbacks and blind XSS only. DNS and SMTP out-of-band detection are not supported on the Cloudflare Workers platform.
SSRF, XXE, blind XSS, and blind injection bugs (SQL, command, template) that trigger an outbound HTTP request. You can also host a custom response or proof-of-concept page on your capture host.
httpcollab is for authorized security testing only — your own systems, or targets you have explicit permission to test, such as a pentest engagement or a bug bounty program in scope. You are responsible for how you use it.
Open a session in your browser. No signup, no install.
Launch the console →