/
splunk_xss_in_save_table_dialog_header_in_search_page.yml
62 lines (62 loc) · 2.17 KB
/
splunk_xss_in_save_table_dialog_header_in_search_page.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
name: Splunk XSS in Save table dialog header in search page
id: a974d1ee-ddca-4837-b6ad-d55a8a239c20
version: 1
date: '2022-10-11'
author: Rod Soto
status: production
type: Hunting
description: This is a hunting search to find persistent cross-site scripting XSS
code that was included while inputing data in 'Save Table' dialog in Splunk Enterprise
(8.1.12,8.2.9,9.0.2). A remote user with "power" Splunk role can store this code
that can lead to persistent cross site scripting.
data_source:
- Splunk
search: '`splunkd_webx` method=POST uri=/en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model
| table _time host status clientip user uri | `splunk_xss_in_save_table_dialog_header_in_search_page_filter`'
how_to_implement: Watch for POST requests combined with XSS script strings or obfuscation
against the injection point /en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model.
known_false_positives: If host is vulnerable and XSS script strings are inputted they
will show up in search. Not all Post requests are malicious as they will show when
users create and save dashboards. This search may produce several results with non
malicious POST requests. Only affects Splunk Web enabled instances.
references:
- https://www.splunk.com/en_us/product-security.html
- https://portswigger.net/web-security/cross-site-scripting
tags:
analytic_story:
- Splunk Vulnerabilities
asset_type: Endpoint
confidence: 50
cve:
- CVE-2022-43561
impact: 50
message: Possible XSS exploitation attempt from $clientip$
mitre_attack_id:
- T1189
observable:
- name: clientip
type: IP Address
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- host
- _time
- status
- clientip
- user
- uri
- method
risk_score: 25
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_xss_in_save_table_dialog_in_search_page.txt
source: /opt/splunk/var/log/splunk/web_access.log
sourcetype: splunk_web_access
custom_index: _internal
update_timestamp: true