Splunk Stored XSS via Specially Crafted Bulletin Message

Try in Splunk Security Cloud

Description

The following hunting detection provides fields related to /service/messages endpoints where specially crafted bulletin message can exploit stored XSS.

• Type: Hunting

• Product: Splunk Enterprise

• Last Updated: 2024-07-01
• Author: Rod Soto
• ID: fd852b27-1882-4505-9f2c-64dfb96f4fc1

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1189	Drive-by Compromise	Initial Access

Kill Chain Phase

• Delivery

NIST

• DE.AE

CIS20

• CIS 10

CVE

ID	Summary	CVSS

Search

| rest /services/messages 
| search message="*http*" 
| table id author message title 
| `splunk_stored_xss_via_specially_crafted_bulletin_message_filter`

Macros

The SPL above uses the following Macros:

splunk_stored_xss_via_specially_crafted_bulletin_message_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• table
• id
• author
• message
• title

How To Implement

Need access to Splunk REST api data via search.

Known False Positives

Must look at messages field and find malicious suspicious characters or hyperlinks. Not all requests to this endpoint will be malicious.

Associated Analytic Story

• Splunk Vulnerabilities

RBA

Risk Score	Impact	Confidence	Message
5.0	10	50	Please investigate $message for possible XSS attack in bulletin message $message$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://advisory.splunk.com/SVD-2024-0713

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1