In Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13, a low-privileged user can bypass URL validation to perform a path traversal and access restricted and confidential information by targeting other users on the instance, including the admin user. The only affected version of bootstrap which shipped with Splunk was version 2.3.1, so the search is targeted at that version alone.
- Type: Hunting
Product: Splunk Enterprise
- Last Updated: 2023-05-09
- Author: Rod Soto
- ID: 8a43558f-a53c-4ee4-86c1-30b1e8ef3606
Kill Chain Phase
- CIS 10
1 2 3 `splunkd_web` method=GET uri_path="*bootstrap-2.3.1*" file="*.js" | table _time clientip uri_path file status | `splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter`
The SPL above uses the following Macros:
splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
This search does not require additional data to be ingested. This search requires ability to search _internal index. This search helps discover access to vulnerable bootstrap versions.
Known False Positives
Associated Analytic Story
|16.0||80||20||Attempted access to vulnerable bootstrap file by $clientip$|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 1