RequestBin
Burp Collaborator alternative · for security researchers

Collect OOB callbacks without Burp Suite Pro.

RequestBin gives you a public callback URL in seconds — SSRF, blind XSS, blind SQLi, DNS exfil — captures every request with full headers, body, and source IP. Free tier covers most pen-test work; PRO is $12/mo (vs Burp Suite Pro at $449/year).

Get a callback URL — freeGet the Burp Suite extension

Why pen testers switch from Burp Collaborator

$12/mo vs $449/year

Burp Collaborator is locked behind Burp Suite Pro. RequestBin PRO is per-user, monthly, no Burp licence required.

Works without Burp Suite

Drop the URL into Nuclei, sqlmap, curl, or hand-crafted POCs. No Burp project required — the callback URL is just an HTTPS endpoint.

Bulk export for reports

NDJSON export of every captured request. Pipe directly into your reporting pipeline; no scraping Burp's UI.

The workflow

  1. 1

    Create a bin → get an HTTPS URL

    Sign up, click "New Bin", copy the URL (e.g.requestbin.net/r/abc123). Total: ~5 seconds.

  2. 2

    Paste it into your scanner

    Nuclei-var oob_url=…, sqlmap--dns-domain, hand-crafted SSRF payloads, blind-XSS POCs — anything that fires a callback.

  3. 3

    Watch hits land in real time

    The bin detail page polls every 5s. Every callback shows up with method, path, headers, body, and the source IP that fired it.

  4. 4

    Export the lot for your report

    Click Export — NDJSON streams down with every captured request. Pipe throughjqor your own report tooling.

  5. 5

    Or: use the Burp Suite extension

    The RequestBin Collaborator extension plugs into Burp Suite (free + community editions) and routes Collaborator-style callbacks to your bin. True drop-in.

Burp Collaborator vs RequestBin

Focused on the OOB callback workflow. Burp Suite Pro is broader — RequestBin doesn't try to replace the proxy or scanner.

CapabilityBurp CollaboratorRequestBin
HTTP callback URL
DNS callback supportplanned (see roadmap below)
Works without Burp Suite Pro
Real-time UI inspectionBurp UI onlyWeb UI · API · MCP
Replay captured requests
Bulk NDJSON exportmanual
Burp Suite integrationnativefree extension
Public sharing of a callbackshare link, read-only
Starting price$449 / year (Burp Pro)Free · PRO $12/mo

Try it on your next engagement.

Free tier: 3 bins, 500 requests/day per bin, 100-row export. Enough for a single pen-test campaign. PRO: unlimited captures, full bulk export, longer retention.

Start freeSee PRO pricing

What's coming next (for this use case)

These are queued specifically off security-researcher feedback:

  • ·DNS callback support — capture out-of-band DNS queries (the channel Burp uses for blind exfil)
  • ·Extended retention — multi-month windows for engagements that run beyond the standard plan history
  • ·Signed export bundles — tamper-evident bundles for evidence chain-of-custody in pen-test reports

Working on a security-research workflow that would benefit from one of these? Reply to [email protected] — direct line to the founder.

Other integrations

Other integrations under /apps.

💳Stripe Webhook TesterPublic URL Stripe can hit. See the full payload + Stripe-Signature header live, replay events into your handler. Free, no install.🐙GitHub Webhook TesterCapture push / pull_request / issues events with the right X-GitHub-Event headers. Replay into your CI listener.Vercel Webhook TesterInspect deployment.succeeded / deployment.error events. Test alerting + replay failures locally without redeploying.💬Slack Webhook TesterInspect Event Subscriptions, slash commands, interactive callbacks. See X-Slack-Signature + Block Kit JSON as Slack actually sends them.📱Twilio SMS Webhook TesterCapture inbound SMS + voice webhooks. Inspect form-encoded body, validate X-Twilio-Signature, replay without burning a phone number.📨Infobip Webhook TesterTest MO (inbound) and DLR (delivery report) webhooks. Replay into your messaging stack without an SMSC roundtrip.
RequestBin
© Copyright 2026 RequestBin.