Techniques
Sample rules
Splunk XSS in Highlighted JSON Events
- source: splunk
- technicques:
- T1189
Description
This detection provides information about possible exploitation against affected versions of Splunk Enterprise 9.1.2. The ability to view JSON logs in the web GUI may be abused by crafting a specific request, causing the execution of javascript in script tags. This vulnerability can be used to execute javascript to access the API at the permission level of the logged-in user. If user is admin it can be used to create an admin user, giving an attacker broad access to the Splunk Environment.
Detection logic
`splunkd_ui` "/en-US/splunkd/__raw/servicesNS/nobody/search/authentication/users" status=201
| stats count min(_time) as firstTime max(_time) as lastTime by clientip, uri_path, method
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_xss_in_highlighted_json_events_filter`