Open source tool helps identify and exploit OOB vulnerabilities by integrating token and payload creation

The Mole out-of-band exploitation framework was unveiled at Black Hat 2020

Mole, a new open source framework for identifying and exploiting out-of-band (OOB) application vulnerabilities, was launched at Black Hat 2020 this week.

Developed by Zach Grace, principal at Lares, a Denver-based offensive security firm, Mole takes inspiration from tools such as Burp Suite’s Collaborator, XSS Hunter, and Handy Collaborator.

“OOB vulnerabilities occur when an application or server processes a payload but there’s no indication immediately returned to the tester,” Grace told The Daily Swig ahead of his presentation at the virtual Black Hat security conference yesterday.

“The only way to successfully identify these vulnerabilities is to cause an interaction with tester-controlled infrastructure such as a DNS or HTTP server.

“Mole helps identify and exploit these OOB vulnerabilities by integrating token and payload creation and providing the server components to monitor for interactions.”


Zach Grace presented Mole OOB exploitation framework at Black Hat 2020Zach Grace introduced Mole at the virtual Black Hat 2020 security conference

Streamlined testing

Mole consists of two main components: the client and the server.

“The client is used to create payloads during manual testing,” Grace explained. “It automatically injects tokens into the predefined payloads, so that they are ready to use.

“The server provides a DNS and web server to log all interaction with the payload tokens.”


Read more of the latest news from Black Hat 2020


Mole features configurable tracking token sizes, token context via tags, and custom notification channels, including email, Slack, and webhook.

“These features streamline testing for OOB vulnerabilities and add flexibility in monitoring for any OOB interactions,” said Grace.

“Additionally, a Burp Suite extension is provided to inject Mole payloads into your testing with Burp Suite.”

Pick your payload

Mole decouples the monitoring and payload generation from the testing tooling, allowing for the 24x7 monitoring of OOB interaction.

The tool supports the tracking of both DNS and HTTP/HTTPS interactions for all supported payload types, which include XSS, XXE, PDF, and OOXML.

“These payloads can be generated and saved to a directory for manual testing, dynamically inserted into requests with Mole’s Burp Suite Extension, or retrieved via API for custom integrations,” said Grace.

“Additional enhancements are planned over the next few months including additional payload types and servers,” he added.

Head over to the Mole GitHub repo for full details.


RECOMMENDED Black Hat 2020: Web cache poisoning offers fresh ways to smash through the web stack