Splunk Search

Validate XSS attempt??

t0mb5t0n3d
New Member

I am curious if there is a way to validate an XSS alert in splunk to something like a list of known XSS vulnerabilities that exist in an environment? What I would be interested in doing is having a list of known vulnerabilities say for instance as XSS vulnerability that I know exists and being able to have live XSS events compared to that list so that i could quickly validate if the live events are successful attempts or false positives. Any thoughts or suggestions?

Tags (1)
0 Karma

Ayn
Legend

It depends a bit on what you mean by "known XSS vulnerabilities". If you mean that you could have a list of URL's and parameters that you know for sure are vulnerable in specific ways, then sure. Beware though that there are usually many many variations that could be used when mounting an XSS attack. Simply looking for "<" and ">" characters in your parameters will probably not be enough as these can be URL encoded or substituted for other characters that will be interpreted as tags by most browsers (browsers really are amazing at accepting pretty much whatever silly broken HTML you throw at them). Similarly many attacks won't even require the use of tags because script code can be injected into an event within an element.

So to reiterate, if by "known" you mean certain SPECIFIC ways of trying to exploit SPECIFIC parameters in SPECIFIC pages in a web application, you could definitely do that. It's just a matter of creating a lookup file containing your search strings and then reading from that. Just don't be fooled to think that means you've covered all your bases.

EDIT: Right, so once again what you could do is create a lookup file holding the search strings you're interested in, either as just a general freetext search in events or as filters looking in specific fields. Let's say you have requested URL's in the field "url". You could create a lookup file (we'll call it xss_strings.csv) with URL's like this:

url,xss_attack
*/mypage.aspx?param=<script>*,1
*/somepage.aspx?foo=' onmouseover='*,1

Then call your lookup in a search like this:

<yourbasesearch> [|inputlookup xss_strings.csv | fields url]

This will result in the subsearch expanding to something like:

<yourbasesearch> ( ( url="*/mypage.aspx?param=<script>*" ) OR ( url="*/somepage.aspx?foo=' onmouseover='*" ) )

You could also call the lookup as "usual":

<yourbasesearch> | lookup xss_strings.csv url OUTPUT xss_attack

Then the events having the field "xss_attack" set to "1" will be the matching ones.

kristian_kolb
Ultra Champion

or you could install modsec or a similar tool and take its logs as input to Splunk.

t0mb5t0n3d
New Member

Thank you very much. Not naive but I am new to splunk so I wasn't sure how to even go about accomplishing this task but you have given some great pointers. I will give this a shot and see what I come up with. Thanks again!

0 Karma

Ayn
Legend

Right. Just making sure you weren't too naive about this 🙂

I updated my answer.

0 Karma

t0mb5t0n3d
New Member

Yeah, for now I would want to just have a lookup file for exact strings that were identified and confirmed via either scannning and/or pentesting. I know that would just be a starting point as the URL could probably be encoded and certain variations could be used to still exploit the XSS vulnerability.

So yes, in short, I want to create a lookup file with exact URL's that I know are validated XSS exploits and I would like to create an alert or search that would take that data and compare it to the lookup file and I could confirm that the alerts would be a successful XSS attempt.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...