DEV.co
Open-Source Security · projectdiscovery

interactsh

Interactsh is an open-source out-of-band (OOB) interaction detection tool used to identify vulnerabilities that trigger external interactions. It provides both a client library and a self-hosted server supporting DNS, HTTP(S), SMTP(S), and LDAP channels with encryption and zero logging.

Source: GitHub — github.com/projectdiscovery/interactsh
4.4k
GitHub stars
467
Forks
Go
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryprojectdiscovery/interactsh
Ownerprojectdiscovery
Primary languageGo
LicenseMIT — OSI-approved
Stars4.4k
Forks467
Open issues17
Latest releasev1.3.1 (2026-03-10)
Last updated2026-07-03
Sourcehttps://github.com/projectdiscovery/interactsh

What interactsh is

Built in Go, Interactsh operates as a dual-component system: a client that generates unique payloads for injection testing, and a server that captures and logs interactions across multiple protocols. It offers self-hosted deployment with wildcard DNS support, ACME-based TLS automation, and optional authentication.

Quickstart

Get the interactsh source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/projectdiscovery/interactsh.gitcd interactsh# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Out-of-band vulnerability detection in penetration testing

Generate and track OOB payloads across DNS, HTTP, SMTP, and LDAP to confirm blind SQL injection, SSRF, XXE, and other interaction-based vulnerabilities.

Bug bounty and security research workflows

Designed specifically for security researchers; integrates with Burp Suite and ZAP; supports Docker deployment for rapid setup and payload generation.

Self-hosted security infrastructure for enterprises

Deploy on-premises Interactsh servers for air-gapped or compliance-restricted environments; supports multiple domains, custom SSL certificates, and RESPONDER-style listeners.

Implementation considerations

  • Verify Go version >= 1.20 for client and self-hosted server installation; confirm Docker availability if containerized deployment is preferred.
  • For self-hosted deployment: plan DNS zone delegation (wildcard records), TLS certificate management via ACME, and network egress rules for interaction capture.
  • Configure PDCP_API_KEY for managed cloud payload servers, or run private instance; understand polling interval (default 5s) impact on testing workflow latency.
  • Review encryption model (AES mentioned in docs) and session persistence via session files; test interaction filtering and output formats (JSON, text) before production use.
  • If using Burp/ZAP integration: validate plugin compatibility with your version and confirm payload injection points align with your testing scope.

When to avoid it — and what to weigh

  • Monitoring or logging production traffic — Interactsh is narrowly scoped for security testing OOB interactions, not general network monitoring or logging infrastructure.
  • Requirement for HIPAA/PCI compliance without auditing capability — While it advertises 'zero logging,' no compliance certifications or audit reports are evident in the repository. Self-hosted deployments require independent security review.
  • Teams unfamiliar with Go or container deployment — Self-hosted server setup requires Go 1.20+ or Docker. CLI client also requires Go 1.20+; no prebuilt binaries documented for all platforms.
  • Real-time, high-volume interaction correlation at scale — Not designed for massive-scale telemetry collection; best suited for targeted testing sessions with manageable payload counts.

License & commercial use

Licensed under MIT (permissive OSI license). Permits commercial use, modification, and distribution with minimal restrictions. Requires inclusion of original license and copyright notice.

MIT license explicitly permits commercial use. No proprietary restrictions, source code modifications, or resale limitations. However, no indemnification or warranty is provided. Recommend review by legal/compliance team before embedding in commercial products, especially for liability-sensitive contexts.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Tool advertises AES encryption for payload/response data and 'zero logging' on managed servers. Claims ACME-based automatic TLS with wildcard certificate renewal. Independent security audits not evident. Self-hosted deployments inherit responsibility for secure TLS, DNS delegation, network isolation, and payload handling. Ensure interactsh-client and server versions are kept current to receive security patches.

Alternatives to consider

Burp Suite Collaborator

Proprietary, integrated OOB detection within Burp Pro; easier UI but vendor lock-in and ongoing licensing cost; limited to Burp ecosystem.

Request Bin / Webhook.site

Simpler HTTP-only payload inspection; lightweight but lacks DNS/SMTP/LDAP support; less suited for professional penetration testing workflows.

CanaryTokens

Free, hosted OOB detection for DNS/HTTP; minimal setup; less configurable and limited to basic vulnerability validation vs. targeted security testing.

Software development agency

Build on interactsh with DEV.co software developers

Get started with the open-source client or deploy a self-hosted server. No licensing fees, full source transparency, and integration with your favorite security tools.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

interactsh FAQ

Can I use Interactsh in a fully air-gapped environment?
Yes, via self-hosted server deployment. You must stand up your own interactsh-server instance and configure DNS/network egress. The managed cloud servers (oast.pro, etc.) require Internet connectivity.
Does Interactsh log or retain interaction data on managed servers?
README claims 'zero logging,' but no independent audit or SLA is provided. For sensitive testing, self-hosting is recommended and will require your own security controls and data retention policies.
How does Interactsh differ from Burp Collaborator?
Interactsh is open-source and self-hostable; Collaborator is proprietary and tied to Burp Pro. Interactsh supports more protocols (LDAP, RESPONDER) but has less polished UI integration.
What are the compute/network requirements for self-hosted server?
Not explicitly documented in the README. Recommend starting with single-instance Go app or Docker container; scale based on payload volume and region. Wildcard DNS and TLS overhead minimal for typical testing workloads.

Custom software development services

From first prototype to production, DEV.co delivers software development services around tools like interactsh. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.

Deploy Interactsh for Your Security Testing

Get started with the open-source client or deploy a self-hosted server. No licensing fees, full source transparency, and integration with your favorite security tools.