this search will produce numerous false positives as it shows any accesses to vulnerable bootstrap javascript files. accesses to these files occur during normal splunk usage. to reduce or eliminate false positives, update the a version of splunk which has addressed the vulnerability.

t1189
endpoint
splunk

Techniques

T1189

Sample rules

Splunk Persistent XSS Via URL Validation Bypass W Dashboard

source: splunk
technicques:
- T1189

Description

In Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13, a low-privileged user can bypass URL validation to perform a path traversal and access restricted and confidential information by targeting other users on the instance, including the admin user. The only affected version of bootstrap which shipped with Splunk was version 2.3.1, so the search is targeted at that version alone.

Detection logic

`splunkd_web` method=GET uri_path="*bootstrap-2.3.1*" file="*.js" 
| table _time clientip uri_path file status 
| `splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter`