if host is vulnerable and xss script strings are inputted they will show up in search. not all post requests are malicious as they will show when users create and save dashboards. this search may produce several results with non malicious post requests. only affects splunk web enabled instances.

t1189
endpoint
splunk

Techniques

T1189

Sample rules

source: splunk
technicques:
- T1189

Description

This is a hunting search to find persistent cross-site scripting XSS code that was included while inputing data in ‘Save Table’ dialog in Splunk Enterprise (8.1.12,8.2.9,9.0.2). A remote user with “power” Splunk role can store this code that can lead to persistent cross site scripting.

Detection logic

`splunkd_webx` method=POST  uri=/en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model 
| table _time host status clientip user uri 
| `splunk_xss_in_save_table_dialog_header_in_search_page_filter`

Techniques

Sample rules

Splunk XSS in Save table dialog header in search page

Description

Detection logic