Add "broadcast" flag for reporting all interactions to all clients

[denandz]

Please describe your feature request:

When running a private interactsh server and embedding URLs and payloads into more complex fuzzing lists, it's helpful to be able to have any interactsh client see all interactions that reach the server, not just the interactions specific to that clients domain.

The flag would ideally be specified server-side, and configure interactsh-server in such a way that any client which connects to the server sees all requests that reach that domain, regardless of the specific sub domain.

Describe the use case of this feature:

A team of security testers may embed a certain payload, say, fooo.myinteractserver.io into a set of test cases, and all testers will then run interactsh and look for those specific integrations.

Similarly, multiple testers working on the same target may want to share an interactsh server/session/whatever and see each others requests in an easy way.

For custom wordlists and fuzzing payloads, especially those requiring bizarre encoding, this would allow those wordlists to be created once and not require post-processing to modify the payloads to point to a specific sub domain.

Note - this feature if controlled by the client-side would introduce an information disclosure vulnerability where client A can see interactions destined for client B. What I'm suggesting is a server-side flag that creates this condition on purpose and not-by-default.

Implementation

I'm happy to figure out this feature and get a PR together provided this is something the project would be interested in merging

[GeorginaReeder]

Thanks for your feature request @denandz , we'll take a look into this! :)

[denandz]

Just following up on this @GeorginaReeder - was there any objections to this feature? I can put it on the todo-list to implement this functionality and send a PR

[ehsandeep]

@denandz There’s already an option for this in server, can you confirm if this is what you’re looking for?

   -wc, -wildcard  Enable wildcard interaction for Interactsh domain (authenticated)

[tweidinger]

I tested the wildcard configuration option on my self hosted instance and I expected to get all interactions but the client does not allow for any kind of wildcard/subdomain flag to receive the interaction nor does the server log any kind of interaction (except for debug mode where everything is logged verbosely).

I get this warning in debug mode on the server side for any interaction that does not belong to an existing correlation id:

[WRN] Could not store root tld http interaction: could not encrypt event data: crypto/aes: invalid key size 0

Is this a bug in the wildcard feature or did I misunderstand the scope of the feature?

Edit: Nevermind this comment as I found another unrelated bug with disk storage that caused the interactions to be not written to disk. With in memory store the wildcard interactions are displayed and fulfill the use case.