ID | Technique | Tactic |
---|---|---|
T1189 | Drive-by Compromise | Initial Access |
Detection: Splunk Reflected XSS in the templates lists radio
Description
The following analytic identifies potential reflected cross-site scripting (XSS) attempts in Splunk versions below 8.1.12, 8.2.9, and 9.0.2. It detects when a query parameter with output_mode=radio
is used in a URI, leveraging splunkd_webx
logs with status 200 and non-null URI queries. This activity is significant as it can indicate an attempt to exploit a known vulnerability, potentially allowing attackers to execute arbitrary JavaScript in the context of the user's browser. If confirmed malicious, this could lead to unauthorized actions, data theft, or further compromise of the affected Splunk instance.
Search
1`splunkd_webx` user=admin status=200 uri=*/lists/entities/x/ui/views* uri_query!=null
2| stats count earliest(_time) as event_time values(status) as status values(clientip) as clientip by index, sourcetype, _time, host, user, uri
3| `splunk_reflected_xss_in_the_templates_lists_radio_filter`
Data Source
Name | Platform | Sourcetype | Source |
---|---|---|---|
Splunk | Splunk | 'splunkd_ui_access' |
'splunkd_ui_access.log' |
Macros Used
Name | Value |
---|---|
splunkd_webx | index=_internal sourcetype=splunk_web_access |
splunk_reflected_xss_in_the_templates_lists_radio_filter | search * |
splunk_reflected_xss_in_the_templates_lists_radio_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Risk Event | False |
Implementation
This vulnerability only affects instances with Splunk Web enabled. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.
Known False Positives
This search may produce false positives as it is difficult to pinpoint all possible XSS injection characters in a single search string. Special attention is required to "en-US/list/entities/x/ui/views" which is the vulnerable injection point.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
Potential XSS exploitation against radio template by $user$ | 25 | 50 | 50 |
References
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | /opt/splunk/var/log/splunk/web_access.log |
splunk_web_access |
Integration | ✅ Passing | Dataset | /opt/splunk/var/log/splunk/web_access.log |
splunk_web_access |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 3