Solved: Splunk Field values are visible in URL. How can we...

rakesh_498115 · ‎02-09-2016

Hi All,

I was using SPLUNK version 6.2.2 for deploying dashboards to our project internal security team. The data which we are gonna expose in Splunk is very critical and we don't want external users to have access to them via url. All the dashboards developed are converted to HTML, so when a dashboard loads, the field values used in the dashboard form are passed in the browser url and those are clearly visible to the users. I don't want to expose this field values to users, so how can we hide them?

Eg:

http://localhost:8080/en-GB/app/custom_app/Data_Report?form.field1=TotalPrice&form.field2=*&form.report_date_uk=09%2F02%2F2016&form.report_date=02%2F09%2F2016&earliest=0&latest=&form.field5=cost%20%28%C2%A3%29&form.field6=0

Here the values field1, report_date_uk, and report_date are used in the dashboard.

Can we hide them from being displayed in the URL and pass them in "Post" process i.e in a hidden way?

As we use the method="post/get" attribute in html forms, can we add them to Splunk dashboards/forms?

thanks
Rakesh.

masonmorales · ‎02-09-2016

Not that I know of. You have a couple different options for your use case though:

Embedded reports (hosted outside of Splunk)
Create a new role, add a search filter inside the role, limit indexes, capabilities, etc. and restrict the role to one app with just the view you want them to have access to

View solution in original post

sfatnass · ‎02-15-2016

Hi if you use html dashboard toi can try kv store element To hide params on url.

masonmorales · ‎02-09-2016

Not that I know of. You have a couple different options for your use case though:

Embedded reports (hosted outside of Splunk)
Create a new role, add a search filter inside the role, limit indexes, capabilities, etc. and restrict the role to one app with just the view you want them to have access to

rakesh_498115 · ‎02-10-2016

Hi masonmorales,

thanks for your reply..

its not about roles etc. we have restricted the access with roles etc . we dont have the field values to be passed in visible mode to the end user. can we do something about this ?? this is raised against our application in pen testing....

thanks,
rakesh.

jplumsdaine22 · ‎02-10-2016

The pen testers should not be worried about this - there is no additional information in the URI (like session tokens etc) that is not in the requested resource. If you're really worried about it put a reverse proxy in front of splunk and rewrite the urls.

As @masonmorales said if you properly create your roles then the users cannot run any seraches they're not supposed to.

rakesh_498115 · ‎02-15-2016

Yes jplumsdaine22,

I agree to your point. its a concern raised by our pen testers to launch the product. I have raised a case to splunk support team and get to know they are gonna raise an Enchancement request for the same.

thanks,
Rakesh.

Splunk Field values are visible in URL. How can we hide them?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...