Alternatives to interact.sh for Out-of-band resource load
Sometimes when we are performing a pentest or bug bounties we need an external site to verify some blind injections or exfiltrate data. This is known as Out-of-Band or just OOB.
Also in some of the newest vulnerabilities found, such as log4j, also needed a OOB DNS resource to validate if a machine could be compromised.
There are some free Out-of-band (OOB) resources available on the internet, let’s review the most important ones:
- Burpcollaborator: Paid resource, you will need Burpsuite to run it.
- Interact.sh: Free resource, you can interact directly in their Web UI. No need to register.
- Canarytokens.org: Free resource, sends you the result via your email or your webhook!
- requestbin.net: Free, no registration. Valid for HTTP and DNS requests.
- dnslog.cn: Free, no registration.
- If you have a VPS you can just use netcat to intercept any traffic coming to your host with: nc -vvv -l -p 8080 for example, if you are expecting traffic on port 8080. If you would like to check against log4j just substitute the port by LDAP port 389 like nc -vvv -l -p 389