diff --git a/README.md b/README.md index 6f31f0cc..de7c6eb4 100644 --- a/README.md +++ b/README.md @@ -248,7 +248,7 @@ interactsh-client | notify ## Interactsh Web Client -[Interactsh-web](https://github.com/projectdiscovery/interactsh-web) is a free and open-source web client that displays Interactsh interactions in a well-managed dashboard in your browser. It uses the browser's local storage to store and display all incoming interactions. By default, the web client is configured to use **interact.sh** as default interactsh server, and supports other self-hosted public/authencaited interactsh servers as well. +[Interactsh-web](https://github.com/projectdiscovery/interactsh-web) is a free and open-source web client that displays Interactsh interactions in a well-managed dashboard in your browser. It uses the browser's local storage to store and display all incoming interactions. By default, the web client is configured to use **oast.fun** as default interactsh server, and supports other self-hosted public/authencaited interactsh servers as well. A hosted instance of **interactsh-web** client is available at https://app.interactsh.com @@ -277,9 +277,9 @@ $ docker run projectdiscovery/interactsh-client:latest [INF] c59e3crp82ke7bcnedq0cfjqdpeyyyyyn.oast.pro ``` -## Burp Suite Extension +## Burp Suite Original Extension -[interactsh-collaborator](https://github.com/wdahlenburg/interactsh-collaborator) is Burp Suite extension developed and maintained by [@wdahlenb](https://twitter.com/wdahlenb) +[interactsh-collaborator](https://github.com/wdahlenburg/interactsh-collaborator) is an original Burp Suite interactsh extension developed and maintained by [@wdahlenb](https://twitter.com/wdahlenb) - Download latest JAR file from [releases](https://github.com/wdahlenburg/interactsh-collaborator/releases) page. - Open Burp Suite → Extender → Add → Java → Select JAR file → Next @@ -288,9 +288,20 @@ $ docker run projectdiscovery/interactsh-client:latest burp -## OWASP ZAP Add-On +## Burp Suite Revised Extension -Interactsh can be used with OWASP ZAP via the [OAST add-on for ZAP](https://www.zaproxy.org/docs/desktop/addons/oast-support/). With ZAP's scripting capabilities, you can create powerful out-of-band scan rules that leverage Interactsh's features. A standalone script template has been provided as an example (it is added automatically when you install the add-on). +[interactsh-collaborator-rev](https://github.com/TheArqsz/interactsh-collaborator-rev) is a revised version of the original Burp Suite interactsh extension and is developed and maintained by [@Arqsz](https://arqsz.net/) + +- Download latest JAR file from [releases](https://github.com/TheArqsz/interactsh-collaborator-rev/releases) page. +- Open Burp Suite → Extender → Add → Java → Select JAR file → Next +- New tab named **Interactsh** will be appeared upon successful installation. +- See the [interactsh-collaborator-rev](https://github.com/TheArqsz/interactsh-collaborator-rev) project for more info. + +burp + +## ZAP Add-On + +Interactsh can be used with ZAP via the [OAST add-on for ZAP](https://www.zaproxy.org/docs/desktop/addons/oast-support/). With ZAP's scripting capabilities, you can create powerful out-of-band scan rules that leverage Interactsh's features. A standalone script template has been provided as an example (it is added automatically when you install the add-on). - Install the OAST add-on from the [ZAP Marketplace](https://www.zaproxy.org/addons/). - Go to Tools → Options → OAST and select **Interactsh**. @@ -303,9 +314,6 @@ Interactsh can be used with OWASP ZAP via the [OAST add-on for ZAP](https://www. ![zap](https://user-images.githubusercontent.com/16446369/135211920-ed24ba5a-5547-4cd4-b6d8-656af9592c20.png) *Interactsh in ZAP* -![Options > OAST > General](https://github.com/hahwul/interactsh/assets/13212227/005bb527-3f60-4822-8b76-f9a3fd06df83) -*`Options` > `OAST` > `General`* - ## Caido Extension [quickssrf](https://github.com/caido-community/quickssrf) is Caido extension developed and maintained which allows using Interactsh from within Caido Proxy. @@ -871,8 +879,8 @@ Currently supported metadata services: Example: -* **aws.interact.sh** points to 169.254.169.254 -* **alibaba.interact.sh** points to 100.100.100.200 +* **aws.oast.fun** points to 169.254.169.254 +* **alibaba.oast.fun** points to 100.100.100.200 ----- diff --git a/go.mod b/go.mod index 41332ffc..6afa639d 100644 --- a/go.mod +++ b/go.mod @@ -107,7 +107,7 @@ require ( github.com/projectdiscovery/machineid v0.0.0-20250715113114-c77eb3567582 // indirect github.com/projectdiscovery/mapcidr v1.1.97 // indirect github.com/projectdiscovery/networkpolicy v0.1.34 // indirect - github.com/refraction-networking/utls v1.8.0 // indirect + github.com/refraction-networking/utls v1.8.2 // indirect github.com/rivo/uniseg v0.4.7 // indirect github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d // indirect github.com/shirou/gopsutil/v3 v3.24.5 // indirect diff --git a/go.sum b/go.sum index c510b2fb..621a2148 100644 --- a/go.sum +++ b/go.sum @@ -311,8 +311,8 @@ github.com/projectdiscovery/retryablehttp-go v1.3.5/go.mod h1:2ma5Itx44tgfZCtHqn github.com/projectdiscovery/utils v0.9.0 h1:eu9vdbP0VYXI9nGSLfnOpUqBeW9/B/iSli7U8gPKZw8= github.com/projectdiscovery/utils v0.9.0/go.mod h1:zcVu1QTlMi5763qCol/L3ROnbd/UPSBP8fI5PmcnF6s= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/refraction-networking/utls v1.8.0 h1:L38krhiTAyj9EeiQQa2sg+hYb4qwLCqdMcpZrRfbONE= -github.com/refraction-networking/utls v1.8.0/go.mod h1:jkSOEkLqn+S/jtpEHPOsVv/4V4EVnelwbMQl4vCWXAM= +github.com/refraction-networking/utls v1.8.2 h1:j4Q1gJj0xngdeH+Ox/qND11aEfhpgoEvV+S9iJ2IdQo= +github.com/refraction-networking/utls v1.8.2/go.mod h1:jkSOEkLqn+S/jtpEHPOsVv/4V4EVnelwbMQl4vCWXAM= github.com/remeh/sizedwaitgroup v1.0.0 h1:VNGGFwNo/R5+MJBf6yrsr110p0m4/OX4S3DCy7Kyl5E= github.com/remeh/sizedwaitgroup v1.0.0/go.mod h1:3j2R4OIe/SeS6YDhICBy22RWjJC5eNCJ1V+9+NVNYlo= github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= diff --git a/pkg/storage/storagedb.go b/pkg/storage/storagedb.go index 019f9822..d29a595c 100644 --- a/pkg/storage/storagedb.go +++ b/pkg/storage/storagedb.go @@ -73,10 +73,26 @@ func New(options *Options) (*StorageDB, error) { return storageDB, nil } +// OnCacheRemovalCallback is called by the in-memory cache when a correlation +// ID entry is evicted (e.g. TTL expiry). It removes the corresponding +// LevelDB entry so that stale encrypted data from the old AES key is not +// returned to a client that later re-registers the same correlation ID with +// a new key. +// +// The previous implementation had two bugs: +// 1. It asserted `value.([]byte)`, but the cache stores `*CorrelationData`, +// so the assertion always failed and the LevelDB entry was never deleted. +// 2. Even if the assertion succeeded, `key` (the shadow variable) would be +// the value bytes, not the correlation-ID string — deleting the wrong key. func (s *StorageDB) OnCacheRemovalCallback(key cache.Key, value cache.Value) { - if key, ok := value.([]byte); ok { - _ = s.db.Delete(key, &opt.WriteOptions{}) + if !s.Options.UseDisk() { + return } + correlationID, ok := key.(string) + if !ok { + return + } + _ = s.db.Delete([]byte(correlationID), &opt.WriteOptions{}) } func (s *StorageDB) GetCacheMetrics() (*CacheMetrics, error) {