Techniques
Sample rules
Splunk XSS via View
- source: splunk
- technicques:
- T1189
Description
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the ’layoutPanel’ attribute in the ‘module’ tag. The vulnerability affects instances with Splunk Web enabled. This hunting search shows users action, application and role used for creating views related to this vulnerability.
Detection logic
index = _internal sourcetype IN ("splunk_web_service", "splunk_python") message="*loadParams*"
| `security_content_ctime(_time)`
| table _time message fileName
| `splunk_xss_via_view_filter`