Since release of Nuclei v2.3.6, Nuclei supports using the interactsh API to achieve OOB based vulnerability scanning with automatic Request correlation built in. It’s as easy as writing {{interactsh-url}} anywhere in the request, and adding a matcher for interact_protocol. Nuclei will handle correlation of the interaction to the template & the request it was generated from allowing effortless OOB scanning.

Interactsh Placeholder

{{interactsh-url}} placeholder is supported in http and network requests.

An example of nuclei request with {{interactsh-url}} placeholders is provided below. These are replaced on runtime with unique interactsh URLs.

  - raw:
      - |
        GET /plugins/servlet/oauth/users/icon-uri?consumerUri=https://{{interactsh-url}} HTTP/1.1
        Host: {{Hostname}}

Interactsh Matchers

Interactsh interactions can be used with word, regex or dsl matcher/extractor using following parts.

part
interactsh_protocol
interactsh_request
interactsh_response

interactsh_protocol

Value can be dns, http or smtp. This is the standard matcher for every interactsh based template with DNS often as the common value as it is very non-intrusive in nature.

interactsh_request

The request that the interactsh server received.

interactsh_response

The response that the interactsh server sent to the client.

Example of Interactsh DNS Interaction matcher:

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"

Example of HTTP Interaction matcher + word matcher on Interaction content

matchers-condition: and
matchers:
    - type: word
      part: interactsh_protocol # Confirms the HTTP Interaction
      words:
        - "http"

    - type: regex
      part: interactsh_request # Confirms the retrieval of /etc/passwd file
      regex:
        - "root:[x*]:0:0:"