Hi everyone,
I just wanted to do a quick search in URLs requested in Splunk but cannot get the directory traversal string (../../../../ o similar) to stick - it gets stripped from the query. I've tried using quotes and it seems escaping shouldn't be necessary.
Any suggestions?
Thanks
Please share the troublesome query.
Sorry, here's a simple example:
index=* url="*../../../../*"
or
index=* "../../../../"
I believe the problem is attempting to search for a string of minor blocker characters. You may have better luck using a separate where command.
index=foo ```Always use explicit index names```
| where like(url, "../../../../%") ```Like is used instead of match to avoid escaping every character```
Thanks again for the suggestion. Unfortunately everything between the * and the % gets stripped when I execute the search.
The asterisk was a typo. Please try again without it.
Same result unfortunately... does the same thing not happen on your splunk instance?
It does not happen on my instance (8.1.2)
I have the same issue on Splunk v8.2.1
Any solution please?