// out-of-band

OutOfBits

The OAST listener that talks back.

DNS & HTTP callbacks captured. Mutate the response with Python. Sandboxed. Audited. Replayable against any past interaction.

researcher@local

$ dig +short a8x2.o.outofbits.com
216.128.146.59
$ curl -sS https://a8x2.o.outofbits.com/admin
↳ captured · DNS A · HTTP GET /admin
↳ pipeline "tarpit" · stage 1/2 · status_code = 401
↳ pipeline "tarpit" · stage 2/2 · WWW-Authenticate added
$ _

Platform vital signs · last 30 days

5,005

callbacks captured

2,672 dns

queries answered

2,333 http

requests served

hosts in use

modifiers running

What you can do

Confirm a blind callback

Generate a one-shot host, plant the URL, watch it land.

# in any vulnerable parameter:
http://a8x2.o.outofbits.com/probe

# on /interactions (live, ~1s after firing):
GET /probe         200 OK
DNS A query        NOERROR

Mutate the response

Sandboxed Python that runs on every callback. Change status, add headers, rewrite the body.

def handle_http(ctx):
    if ctx.request.path == "/admin":
        ctx.response.status_code = 401
        ctx.response.headers["WWW-Authenticate"] = \
            'Basic realm="x"'
    return ctx

Pipeline & audit

Compose modifiers in order. Per-stage input/output snapshots — see exactly what each step did.

pipeline "tarpit" · http
  ├─ add-trace-header     ok 12 ms
  ├─ canned-401            ok  3 ms
  └─ log-source-ip         ok  5 ms
  on_error: stop      total: 20 ms

// defense in depth

Five layers of sandbox.

Modifiers are arbitrary user code. So they run in a fresh subprocess, blocked from doing anything they shouldn't.

AST allowlist — no import, dunders, open, eval.
Restricted builtins — only a curated subset of __builtins__.
rlimits — 1s CPU · 100 MiB · NPROC=0 · 32 FDs.
seccomp — networking, ptrace, mount, kexec, modules — all EPERM.
Landlock — kernel-enforced filesystem isolation. No paths.

Want the full picture? User guide.

Built by Carl Sampson.