Alternatives to interact.sh for Out-of-band resource load

Penetration Testing Wiki

Alternatives to interact.sh for Out-of-band resource load

Sometimes when we are performing a pentest or bug bounties we need an external site to verify some blind injections or exfiltrate data. This is known as Out-of-Band or just OOB.



Also in some of the newest vulnerabilities found, such as log4j, also needed a OOB DNS resource to validate if a machine could be compromised.

There are some free Out-of-band (OOB) resources available on the internet, let’s review the most important ones:

  1. Burpcollaborator: Paid resource, you will need Burpsuite to run it.
  2. Interact.sh: Free resource, you can interact directly in their Web UI. No need to register.
  3. Canarytokens.org: Free resource, sends you the result via your email or your webhook!
  4. requestbin.net: Free, no registration. Valid for HTTP and DNS requests.
  5. dnslog.cn: Free, no registration.
  6. If you have a VPS you can just use netcat to intercept any traffic coming to your host with: nc -vvv -l -p 8080 for example, if you are expecting traffic on port 8080. If you would like to check against log4j just substitute the port by LDAP port 389 like nc -vvv -l -p 389

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.