Since release of Nuclei v2.3.6, Nuclei supports using the interactsh API to achieve OOB based vulnerability scanning with automatic Request correlation built in. It’s as easy as writing {{interactsh-url}} anywhere in the request, and adding a matcher for interact_protocol. Nuclei will handle correlation of the interaction to the template & the request it was generated from allowing effortless OOB scanning.

Interactsh Placeholder

{{interactsh-url}} placeholder is supported in http and network requests. An example of nuclei request with {{interactsh-url}} placeholders is provided below. These are replaced on runtime with unique interactsh URLs.
  - raw:
      - |
        GET /plugins/servlet/oauth/users/icon-uri?consumerUri=https://{{interactsh-url}} HTTP/1.1
        Host: {{Hostname}}

Interactsh Matchers

Interactsh interactions can be used with word, regex or dsl matcher/extractor using following parts.
part
interactsh_protocol
interactsh_request
interactsh_response
interactsh_protocolValue can be dns, http or smtp. This is the standard matcher for every interactsh based template with DNS often as the common value as it is very non-intrusive in nature.
interactsh_requestThe request that the interactsh server received.
interactsh_responseThe response that the interactsh server sent to the client.
Example of Interactsh DNS Interaction matcher:
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"
Example of HTTP Interaction matcher + word matcher on Interaction content
matchers-condition: and
matchers:
    - type: word
      part: interactsh_protocol # Confirms the HTTP Interaction
      words:
        - "http"

    - type: regex
      part: interactsh_request # Confirms the retrieval of /etc/passwd file
      regex:
        - "root:[x*]:0:0:"