Burp Suite Collaborator is a great tool for testing Out of Band Security but its only included in the Pro version and its not always affordable. Interactsh is an alternative to Burp Suites Collaborator and is easy to add to OWASP ZAP. Interactsh is an Open-Source tool for detecting out-of-band interactions. It’s a tool designed to detect vulnerabilities that cause external interactions.
Burp Suite maybe the top dog for Bug Bounty Hunters, Pen Testers and Ethical hackers but it also can be expensive, especially if you just starting out in the field. In this blog post I will cover the alternative to Burp Suite Collaborator and how to use Interactsh on OWASP ZAP.
OWASP ZAP is a great Open Source alternative to Burp Suite, but it has some small limitations. It can do almost everything Burp Suite can do but the interface and the documentation are not always intuitive for the novice. For example if you search google for ZAP and OAST the first result does not even mention interactsh, be sure you go to the correct document page in ZAPs own documentation and not rely on Google search results (bad habit). Also he settings for interactsh are buried deep inside the tool in a not so obvious place.
So lets get into it.
You need a Interactsh server installed. You can do this on your local system if its reachable from the internet but I recommend setting it up on a Digital Ocean dropplet. If you use the droplet it would be great if you can use my affiliated link. No worries if not. Other options are AWS free Tier or even Oracle OCI free Tier which each give you access to some free Virtual Machines.
You will need to set up your own DNS servers and update your domains DNS settings to point to them. Instructions are over on the project discovery interactsh github page.
The command I used to run the server is below,
sudo ~/go/bin/interactsh-server -domain mickostock.xyz -t 087924009
- sudo is used to run it as root, as you need access to privilged ports.
- -domain is used to specify my domain.
- -t sets an access token so clients can connect.
You will also need a OWASP ZAP installation. You can find the files for all Operating systems over at zaproxy web page. Once downloaded and installed, interactsh needs configuration. It’s included as part of the plugin OAST (Out of Band Applicaiton Security Testing). It came pre installed in my version of OWASP ZAP but you may need to make sure that the OAST plugin is installed from the market place.
If not already installed, then install the OAST tool.
Once installed you can go to Tools -> Options -> OAST configuration page to set it up.
This options page has several options for us to configure. First of all you need to put in the url for your interactsh server and any Authorisation Token if one was used. Once added then you can click the “New Payload” button to create a new FQDN that you can use for Out of Band testing.
Last thing to do is to highlight a payload and on your keyboard select “CTRL +c” to copy it. Unfortunately, right clicking this does not give you a context menu that allows you to copy it.
If all is successful you can hit “Ok” to save your settings.
Check all is Working!
To check its all working go back to the main OWASP page and in the bottom window we have to open the OAST Tab.
Just click on the plus button to add the OAST Tab.
From earlier we should still have the interactsh FQDN name copied in our clipboard. So lets try to ping it and see what happens.
Also lets try a curl command.
If we take a look in our OAST window we will see some activity.
So OAST will capture all the that happens against that IP address, perhaps revealing something useful!
The developers over at Project Discovery are great and always go the extra mile to make their software better. In the case of interactsh they created a front end for your interactsh server so you can track it from anywhere. Take a look at it at the below link.
Once you open the page you can add your own server. Click on the link in the top section
And add your own servers details
Interactsh is a powerful tool if you know how to use it. Using Interactsh on OWASP ZAP extends the functionality of ZAP even further and adding to an already great tool. If you find this post useful look me up on twitter and shoot me a tweet.
My interactsh server from above will be running for a few months after this blog is posted, feel free to use it.
I just want to give a shout out to the teams in project discovery and in OWASP ZAP for the effort they go to make such great software available to the community. Please don’t be just a consumer and try to support these great projects in any little way you can.