OAST alternatives

Only BurpSuite Professional has the collaborator, and costs a lot. ZAP does not include OAST functionality. And there are alternatives:

  • pingb.in was originally for capturing ICMP pings with a unique payload, it works great for DNS and HTTP too. It does not seem to support HTTPS though.

  • The Webhook.site supports inspecting, testing and automating (with the visual Custom Actions builder, or WebhookScript) incoming HTTP request sor e-mail.

  • transfer.bi.tk/

  • canary tokens

  • Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions. Also see app.interactsh.com.