the error detected above can be generated for a wide variety of improperly formatted xml views. there will be false positives as the search cannot extract the malicious payload and the view should be manually investigated.

t1189
endpoint
splunk

Techniques

T1189

Sample rules

Splunk XSS via View

source: splunk
technicques:
- T1189

Description

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the ’layoutPanel’ attribute in the ‘module’ tag. The vulnerability affects instances with Splunk Web enabled. This hunting search shows users action, application and role used for creating views related to this vulnerability.

Detection logic

index = _internal sourcetype IN ("splunk_web_service", "splunk_python") message="*loadParams*" 
| `security_content_ctime(_time)` 
|  table _time message fileName 
| `splunk_xss_via_view_filter`