Splunk Persistent XSS via Props Conf Detection Rule and SPL Query

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Description: - Vulnerability Name: Splunk Persistent XSS via Props Conf - Vulnerability Type: Hunting - Description: In Splunk Enterprise versions 9.2.3 and 9.1.6, and Splunk Cloud Platform versions 9.2.2403.108 and 9.1.2312.205, low-privileged users can construct malicious payloads in the file, leading to unauthorized JavaScript code execution in users' browsers. 2. Search: - Provides SPL (Search Processing Language) queries for detecting the vulnerability, including time range, host, client type, and status. 3. Data Source: - Data source is Splunk, using the sourcetype, with data originating from . 4. Macros Used: - Two macros are utilized: and . 5. Annotations: - The vulnerability is associated with frameworks such as MITRE ATT&CK, KILL CHAIN PHASES, NIST, CIS, and THREAT ACTORS. 6. Default Configuration: - Default detection configuration, including disable status, cron scheduling, earliest/latest time, scheduling window, and whether to create risk events. 7. Implementation: - Requires access to internal indexes and web components. 8. Known False Positives: - Provides information on creating scheduled views for target endpoints to detect potential XSS attacks. 9. Associated Analytics Stories: - References analytics stories related to Splunk vulnerabilities. 10. Risk-Based Analysis (RBA): - Includes risk message, risk score, impact, and confidence level. 11. References: - Provides relevant reference links. 12. Detection Testing: - Includes test type, status, dataset, source, and sourcetype information. This information helps security teams understand the vulnerability in detail, including how to detect, configure, and test for it, as well as associated risk assessments and reference resources.

Goal Reached Thanks to every supporter — we hit 100%!

Splunk Persistent XSS via Props Conf Detection Rule and SPL Query