req.cat :3 new about

About req.cat

Multi-protocol request catching for debugging and security research

req.cat is a request catcher built for engineers and security practitioners who need a fast way to observe external interactions. Instead of spinning up several disposable services to track HTTP callbacks, DNS lookups, inbound mail, or blind XSS beacons, req.cat gives you one place to create a destination and inspect what comes back.

What req.cat is for

Modern application testing often depends on traffic that does not appear in your browser console or your primary API logs. A third-party integration may retry a webhook from a remote worker. A deserialization or SSRF test may trigger a DNS query long after the original request finishes. A blind XSS payload may only fire after an administrator opens a dashboard hours later. req.cat is designed for these situations: the delayed, distributed, and sometimes messy interactions that are difficult to capture with single-protocol tools.

The service creates stable targets that can be dropped into payloads, callback URLs, forms, headers, email content, configuration values, and proof-of-concept exploits. Once traffic lands, req.cat groups what it sees into a readable stream so you can confirm the interaction happened, inspect the protocol metadata, and keep moving without building a custom listener for every test.

I needed a tool that did this while also allowing me to steer the produced responses, like setting `Location` headers or injecting HTML tags in the response body; hence req.cat was born.

use cases

  • webhook debugging
  • out-of-band application security testing for SSRF, XXE, deserialization, and callback workflows
  • blind XSS validation when a payload executes in a privileged browser long after initial submission
  • DNS logging and correlation for payloads that trigger name resolution instead of direct HTTP traffic
  • Email, FTP, SSH, SMB, and TLS-oriented collection during infrastructure testing and research.

roadmap

  • longer-lived targets (maybe)
  • pass-through / request transformations
  • scriptable responses (CEL or varnish based maybe)
  • open source / selfhost (if I'm feeling cute enough)

Abuse

If you suspect that a req.cat target was used with malicious intent or unauthorized testing, please reach out at http://x.com/rc0_sh