tcob hook

HTTP and DNS callback capture for authorized testing. Events are saved locally, sent to Discord, and signed with an HMAC proof.

HTTP: hook.tcob.today / hooks.tcob.today DNS: dns.hook.tcob.today Body limit: 2.00 MiB Retention: 500 events

Quick Use

curl -X POST https://hook.tcob.today/webhook/my-test \
  -H 'Content-Type: application/json' \
  -d '{"hello":"world"}'

dig my-test.dns.hook.tcob.today

Use any readable ID after the route. Extra path segments are kept as part of the ID.

Capture Routes

RouteUse
/callback/<id>general callback, relaxed rate limit
/canary/<id>canary token, relaxed rate limit
/ssrf/<id>SSRF callback
/xss/<id>browser/script callback
/webhook/<id>webhook request and body capture
/email/<id>email link or tracking callback
/<category>/<id>custom category

Response Profiles

RouteResponse
/redirect/<id>?hops=3same-origin redirect chain, then /callback/<id>
/status/404/<id>capture, then return an allowlisted status
/delay/2/<id>capture, wait up to 5s, then return proof
/pixel/<id>capture, then return a transparent PNG
/script/<id>capture, then return JS that pings /callback/<id>/executed
/cors/<id>capture, then return proof with wildcard CORS
/oauth/<id>OAuth/OIDC redirect or form_post proof
/dcr/<id>dynamic client registration proof

OAuth / DCR

https://hook.tcob.today/oauth/test?code=abc123&state=xyz

curl -X POST https://hook.tcob.today/dcr/test \
  -H 'Content-Type: application/json' \
  -d '{"client_id":"client-123","client_secret":"secret-value"}'

/oauth and /dcr return the normal evidence receipt plus an oauth.artifacts object. It detects common and vendor-prefixed OAuth/DCR field names, including nested JSON keys containing token, secret, client, registration, software, redirect_uri, code, state, or error. Sensitive-looking values are returned as length, SHA-256, and a short preview, not full secrets.

URL fragments never reach the server. For implicit/hybrid flows, use response_mode=query, response_mode=form_post, or a target that sends the token in a request body.

Evidence

Admin

curl -H 'Authorization: Bearer <token>' https://hook.tcob.today/admin/recent
curl -H 'Authorization: Bearer <token>' 'https://hook.tcob.today/admin/export?format=jsonl'
curl -H 'Authorization: Bearer <token>' https://hook.tcob.today/admin/lookup/test

Machine-readable route inventory: /docs.json.