OOB Testing
Understanding OOB testing with Nuclei Templates
Since release of Nuclei v2.3.6, Nuclei supports using the interactsh API to achieve OOB based vulnerability scanning with automatic Request correlation built in. It’s as easy as writing {{interactsh-url}}
anywhere in the request, and adding a matcher for interact_protocol
. Nuclei will handle correlation of the interaction to the template & the request it was generated from allowing effortless OOB scanning.
Interactsh Placeholder
{{interactsh-url}}
placeholder is supported in http and network requests.
An example of nuclei request with {{interactsh-url}}
placeholders is provided below. These are replaced on runtime with unique interactsh URLs.
Interactsh Matchers
Interactsh interactions can be used with word
, regex
or dsl
matcher/extractor using following parts.
part |
---|
interactsh_protocol |
interactsh_request |
interactsh_response |
interactsh_protocol
Value can be dns, http or smtp. This is the standard matcher for every interactsh based template with DNS often as the common value as it is very non-intrusive in nature.
interactsh_request
The request that the interactsh server received.
interactsh_response
The response that the interactsh server sent to the client.
Example of Interactsh DNS Interaction matcher:
Example of HTTP Interaction matcher + word matcher on Interaction content
Was this page helpful?