this search may have produce false positives as malformed or erroneous requests made to this endpoint may be executed willingly or erroneously by operators.

T1027.006
endpoint
splunk

Techniques

T1027.006

Sample rules

Splunk HTTP Response Splitting Via Rest SPL Command

source: splunk
technicques:
- T1027.006

Description

A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.

Detection logic

`audit_searches` AND search IN ("*
|*rest*POST*","*
|*rest*PUT*","*
|*rest*PATCH*","*
|*rest*DELETE*") AND NOT search="*audit_searches*" 
| table user info has_error_msg search _time  
| `splunk_http_response_splitting_via_rest_spl_command_filter`