Support for infinite eviction on self-hosted interactsh-server

[justinsteven]

Please describe your feature request:

New option to support:

-ne, -no-eviction int       disable periodic data eviction from memory

---

README.md for interactsh-server says:

-e, -eviction int       number of days to persist interaction data in memory (default 30)

There should be a way to specify an infinite eviction (i.e. disable the purging of sessions and interaction data)

Describe the use case of this feature:

Someone with a self-hosted interactsh-server may want to do very long-running polling of a session. For example:

• Day 0 - create an interactsh session and do a very long poll against it using interactsh-client, e.g. piped to notify
• Day 1 - use the session to generate canary hostnames. Use those hostnames e.g. in a blind time-delayed SSRF or blind XSS scenario
• Day 100 - have the hostname be accessed by a victim, receive notification of this event

With the default eviction of 30 days, my understanding is that the long-running interactsh-client started on day 0 will silently stop receiving events after 30 days. The interactsh-client will stay connected and will keep polling, will not get any errors, but will not receive events.

Alternative solution:

A user of interactsh-server can do -e 999999 to get an essentially infinite eviction time :) but this is not very clean

Risks

There might be an accidental or malicious DoS risk to an interactsh-server that is configured to never evict sessions

See also

Discussion re: this issue at https://discord.com/channels/695645237418131507/837760016822829147/1050207078393856020

[justinsteven]

Above, I said:

The interactsh-client will stay connected and will keep polling, will not get any errors, but will not receive events.

pd-team on Discord said:

something to confirm in the CLI client, but I can say for sure, the web client, reregister with same id once it gets expired to make sure not loose the data after eviction as well.

I said:

aha, that's interesting. if so then I think the CLI client should get that feature too. perhaps some people want a convenient way to get infinite session registration, but I can say that if a long-running CLI client was to re-register a session during long polling, that would also fix my issue

[Mzack9999]

@justinsteven the 30 days eviction time starts counting from the interaction trigger/receive time. If data is not polled within 30 days, then it's evicted.
Using the client, if you disconnect and can reconnect anytime using the resume session info before the defined eviction time, the session is automatically renewed. I hope this helps. Let me know if you have any questions or if can we improve this functionality.

[justinsteven]

@Mzack9999 #428 will resolve this request. Thanks!

However, I've since realised I had an XY problem. Sorry about that.

The root cause of my frustration, and my want for the -ne flag added in #428, is described at #433

tl;dr if -eviction hits, then long-running interactsh-client's will not re-register the CID and will silently fail to poll for interactions. Setting -ne mitigates the problem, but it's non-default, and it could waste resources on the server. Having the client re-register the CID could be a cleaner fix for my concern.

However, some people might benefit from -ne if they only poll for a saved session's interactions infrequently and don't want to risk losing interactions in between.

Up to you if you want to close #428 as feature bloat and instead focus on #433

Thanks again :)

(P.S. I've worked around my own problem using https://github.com/justinsteven/interactsh-client-python so this isn't urgent for me right now)