Have you ever been looking at your web logs and saw some entries like this one:
GET /v1/avatars/favicon?url=http://xyzabc.oast.pro HTTP/1.1 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36"
Or maybe looking like this:
GET /wp-admin/admin.php?page=wc-settings&action=redirect_telcell_form&api_url=https://oast.me HTTP/1.1 "-" "Mozilla/5.0 (Debian; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"
And wasn't sure what they are being used for? If you notice, both have external URLs listed in there (oast.pro or oast.me). But what are they used for exactly? They are installations of the Interactsh open source tool for detecting out-of-band interactions.
Out-of-band interactions are mainly used to detect vulnerabilities that cause external interactions, like a DNS request or HTTP connection to an external site. They could be used by pen-testers or internal security engineers, but also by external attackers to try to find vulnerabilities in your web site.
So whenever you see those on your logs, it is most likely an attack. Many bots and scanners use this type of technique when attempting XSS injections, for example. If you see them with a 404 (not found), you are likely ok, but if you see with a 200 (success) - and not blocked - it might be good to investigate further.
Note that anyone can setup a domain and install Interactsh, so it doesn't always need to be the oast.pro, oast.me or oast.live domains, those are just examples we saw on our logs.
Other examples of Interactsh domains we found: a.xdnso.cc, oast.site, oast.online, oast.live, etc.
*And if you have not been looking at your logs, you are missing out on the fun. :)