interactsh icon indicating copy to clipboard operation
interactsh copied to clipboard

Published 20 hours ago verified publisher icon projectdiscovery

Ability to have self-hosted interactsh-server act as a reverse proxy

Open justinsteven opened this issue 3 years ago • 0 comments

Please describe your feature request:

interactsh-server's http-directory option is useful for serving static content. It can be used to publish static files at https://interactsh-server.example/s/

It is, however, sometimes also useful to publish dynamic content, such as a php file that does a 300 redirect.

In such a case, it would be useful if interactsh-server could be configured to act as a reverse proxy through to, say, nginx+php. The dynamic content could be generated by the backend, while still allowing a user of interactsh-client to get information in their terminal about requests for the content.

This could then be published to the world at, say, https://interactsh-server.example/d/ (d for 'dynamic')

Mock-up

This is a synthetic mock-up. Please excuse any inconsistencies in the fake data.

Assume that nginx+php is running on the same host as interactsh-server, bound to 127.0.0.1:8000

% cat /var/www/html/d0b8a497-bddf-4e92-8db2-22d2d769266d.php
<?php

header("Foo: bar");
header("Location: https://example.com");

% curl -v http://127.0.0.1/d0b8a497-bddf-4e92-8db2-22d2d769266d.php
[... SNIP ...]
> GET /d0b8a497-bddf-4e92-8db2-22d2d769266d.php HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Server: nginx/1.14.2
< Date: Sat, 06 Aug 2022 06:27:06 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Foo: bar
< Location: https://example.com
<

interactsh-server has been started:

% interactsh-server -dynamic-backend 'http://127.0.0.1:8000'
[... SNIP ...]
[INF] Using dynamic backend (http://127.0.0.1:8000) to serve from : interactsh-server.example/d/
[... SNIP ...]

A user of interactsh-client can then get a hostname:

% interactsh-client -server interactsh-server.example -v
[... SNIP ...]
[INF] Listing 1 payload for OOB Testing
[INF] cbn0m7tl8pdf22ug0qg05qc7r9rw6ph7j.interactsh-server.example

The dynamic content can be retrieved through the interactsh-server instance at the magic /d/ path:

% curl https://cbn0mgdl8pdf29rc0la0k7zzp7reaxa7j.interactsh-server.example/d/d0b8a497-bddf-4e92-8db2-22d2d769266d.php -v
[... SNIP ...]
> GET /d/d0b8a497-bddf-4e92-8db2-22d2d769266d.php HTTP/1.1
> Host: cbn0mgdl8pdf29rc0la0k7zzp7reaxa7j.interactsh-server.example
> User-Agent: curl/7.64.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/1.1 302 Found
< Server: nginx/1.14.2
< Date: Sat, 06 Aug 2022 06:27:06 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Foo: bar
< Location: https://example.com
<
* Connection #0 to host cbn0mgdl8pdf29rc0la0k7zzp7reaxa7j.interactsh-server.example left intact

Furthermore, the user of interactsh-client sees everything:

[cbn0mgdl8pdf29rc0la0k7zzp7reaxa7j] Received DNS interaction (AAAA) from <REDACTED> at 2022-08-06 06:35:05
------------
DNS Response
------------

[... SNIP ...]


[cbn0mgdl8pdf29rc0la0k7zzp7reaxa7j] Received HTTP interaction from <REDACTED> at 2022-08-06 06:35:05
------------
HTTP Request
------------

GET /d/d0b8a497-bddf-4e92-8db2-22d2d769266d.php HTTP/2.0
Host: cbn0mgdl8pdf29rc0la0k7zzp7reaxa7j.interactsh-server.example
Accept: */*
User-Agent: curl/7.64.0



-------------
HTTP Response
-------------

HTTP/1.1 302 Found
Server: nginx/1.14.2
Date: Sat, 06 Aug 2022 06:27:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Foo: bar
Location: https://example.com

Describe the use case of this feature:

A user of interactsh-client against a self-hosted interactsh-server can get the benefits of both:

  • interactsh-client to get rapid telemetry about accesses for the dynamically generated content; and
  • The use of dynamic content to show customised responses based on attributes of the original request, control over the response headers, ability to do something about the OOB interaction dynamically on the server-side without the need for an interactsh-client tuned in, etc.

Implementation note

The reverse proxy should be polite and as spec-compliant as possible. It should give the following attributes to the backend:

  • (X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Proto); and/or Forwarded
  • Via
  • etc.

justinsteven avatar Aug 06 '22 06:08 justinsteven