Techniques
Sample rules
Splunk HTTP Response Splitting Via Rest SPL Command
- source: splunk
- technicques:
- T1027.006
Description
A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.
Detection logic
`audit_searches` AND search IN ("*
|*rest*POST*","*
|*rest*PUT*","*
|*rest*PATCH*","*
|*rest*DELETE*") AND NOT search="*audit_searches*"
| table user info has_error_msg search _time
| `splunk_http_response_splitting_via_rest_spl_command_filter`