this search may produce false positives as it is difficult to pinpoint all possible xss injection characters in a single search string. special attention is required to \"en-us/list/entities/x/ui/views\" which is the vulnerable injection point.

t1189
endpoint
splunk

Techniques

T1189

Sample rules

Splunk Reflected XSS in the templates lists radio

source: splunk
technicques:
- T1189

Description

Splunk versions below 8.1.12,8.2.9 and 9.0.2 are vulnerable to reflected cross site scripting (XSS). A View allows for a Reflected Cross Site scripting via JavaScript Object Notation (JSON) in a query parameter when ouput_mode=radio.

Detection logic

`splunkd_webx` user=admin status=200 uri=*/lists/entities/x/ui/views* uri_query!=null 
| stats count earliest(_time) as event_time values(status) as status values(clientip) as clientip by index, sourcetype, _time, host, user, uri 
| `splunk_reflected_xss_in_the_templates_lists_radio_filter`