blog
Short notes on what exl.ink does and where it's going.
A quick tour of exl.ink (and what's coming)
exl.ink is a set of small tools that need no login and keep nothing afterwards. Here's a quick tour of everything it does today — and a note on what's next.
Reverse Proxies, Reverse Tunnels, and Egress Abuse
Forward proxy, reverse proxy, and reverse tunnel are not the same thing. How the difference maps to webhooks, NAT, reverse shells, C2, and egress detection.
Out-of-band testing: catching blind callbacks with a bin
A public URL that logs every request lets you confirm blind SSRF, stored XSS, and out-of-band exfiltration by making the target call you back — and debug webhooks.
Disposable email: when a throwaway inbox fits (and when it doesn't)
A throwaway inbox is right for one-off signups and catching a single code, and wrong for anything you must recover. Where the line falls, and how it differs from aliases.
Stop Pasting Passwords Into Chat: One-Time Secret Links
Pasting a password into Slack leaves copies in history, search, and backups. How burn-after-read links and a key in the URL #fragment keep the server blind.
A JWT You Can Read Isn't a JWT You Can Trust
Decoding a JWT is not verifying it. The header.payload.signature anatomy, why base64url is encoding not encryption, and the classic failures: alg=none and RS256-to-HS256.
UUIDv4, UUIDv7, ULID, NanoID: IDs That Sort and Don't Leak
A tradeoff guide to UUIDv4, UUIDv7, ULID, and NanoID: index locality, collision math, and why guessable IDs enable IDOR while random ones can be capabilities.
SPF, DKIM, DMARC: how email proves it isn't forged
SMTP lets anyone forge a From address. How SPF, DKIM, and DMARC layer up to catch it — envelope vs header From, alignment, p=none/quarantine/reject, and auditing a domain.
The TLS Certificate Outage Is Preventable: A Checklist
Why expired-cert outages still hit big companies despite ACME, what to watch from outside, why the served chain matters more than the leaf, and the 47-day shift.
Open, closed, or filtered: reading a port check
A port checker returns open, closed, or filtered. What each state means via the TCP handshake, why an external check differs from localhost, and the limits.
Your IP, reverse DNS, and X-Forwarded-For: what servers see
A server sees your IP, a few headers, and a database — not your house. How NAT hides your real address, why X-Forwarded-For is spoofable, and where geolocation breaks.
Receiving webhooks without deploying a server
Test webhook integrations with no public deploy: inspect payloads in a bin, forward to localhost, verify HMAC signatures, and handle replays and retries.
Move data between machines with curl: pipes, not file servers
scp, S3, and file hosts are overkill for a one-shot move. A streaming HTTP pipe — netcat over curl with chunked encoding and backpressure — sends bytes A to B, stored nowhere.
View-once links: why ephemeral sharing beats email
Emailing a file scatters durable copies across mailboxes and backups. A view-once link with single-use or expiry, plus in-browser encryption, narrows the exposure window — with honest limits.
SSE vs WebSockets: the simpler real-time you usually want
Most real-time needs are server-to-client streams. Server-Sent Events handle them over plain HTTP with built-in reconnection — simpler than WebSockets. When each fits, plus the HTTP/1.1 caveat.