What is Interactsh?
Interactsh is a server-client implementation that allows users to identify blind Out-of-Band (OOB) vulnerabilities that may not be detected by conventional testing methods.
Out-of-Band testing works by generating dynamic URLs, which when requested by the target, trigger a callback. This callback can be used to identify a vulnerability.
Why did we build Interactsh?
We wanted an Open-Source solution for Blind OOB testing. Interactsh simplifies the server setup process. It also offers a lucrative opportunity to integrate with Nuclei and make it automation-friendly for everyone.
Server Architecture of Interactsh
Interactsh comes with a server that can emulate HTTP, DNS, and SMTP with wildcards enabled. Just by running the interactsh server and pointing your Nameserver to
interactsh-host, you can get a full interaction-capturing server that runs 24/7.
The Interactsh server keeps all data in its memory, and logging cannot be performed on the server's side. RSA encryption is used for key transmissions while AES is used for data encryption. Keys and interactions are stored in its memory where interactions are always encrypted and decrypted on the client's side.
Interactsh-client is a CLI tool that generates dynamic and unique URLs that you can use with OOB testing and communicate with the Interactsh server API, allowing you to retrieve available OOB interactions.
At ProjectDiscovery, we are fans of great UX and design. So, we also developed a web client that will communicate with the interactsh server and present the data with a nice-looking GUI. Data retrieval and decryption are performed at the browser level. The browser's local storage is used to store the data. Hosted web-client is accessible at https://interact.projectdiscovery.io
Interactsh-server is a custom web server written in golang, supporting DNS/HTTP/SMTP interactions. You can always run and self-host your own interactsh-server that runs 24/7 by following the instructions detailed here.
The Future of this Project
Nuclei integration - We are already working on this integration to make OOB- based exploit testing simple and automatable.
Got some questions about Interactsh? Feel free to tweet us at @pdiscoveryio or jump in our discord server to discuss more security and automation.