blind xss catcher

Mint a probe, inject one of its payloads into a field you suspect is unsanitised, and when the page is later rendered — in an admin panel, a log viewer, anywhere — the payload fires and reports the page URL, cookies, storage, and DOM back to you live. Like XSS Hunter, but ephemeral.

For authorized security testing only. Probes and their captures expire and are never listed.

Or from the terminal

curl -s exl.ink/api/xss/new
# → { "payloads": {...}, "apiUrl": "...", "secret": "..." }
# inject a payload, then poll apiUrl for fires