TheHive Hyperlinking

Created on 13 Sep 2018  路  5Comments  路  Source: TheHive-Project/TheHive

Request Type

Bug (Security Issue)

Problem Description

If you open Alert Preview window with some data in it (values pulled from elastalert), look at the link from captured User-Agent value for example. This value can be anything that attacker put in HTTP User-Agent: field (including malicious link), and it's automatically hyperlinked in TheHive GUI (in Case preview also).

Possible Solutions

Do not hyper link values in The Hive GUI that are pulled from elastalert in TheHive. :)

Or... it will be nice to have an option to disable hyperlinking behavior.

Complementary information

thehive_prijava

bug

All 5 comments

Well, how do you produce the alert description that contains links?

Alert description uses Markdown, which turns URLs to links automatically, which is actually handy.

I think it would be better to preprocess your ElastAlert message in first place and properly escape untrusted data, so analysts won't accidentally click on malicious link, if this is your case.

I would use the code blocks feature when creating the alert description.

So from clickable http://nmap.org/book/nse.html you'll have non-clickable http://nmap.org/book/nse.html.

Thanks to ```

@ninSmith it's kinda dangerous, because input may contain triple backticks :) Also we can try to split untrusted data by new line character and pass each one on a new line prefixed with 4 spaces - it will work like the same code block:

 User-Agent: http://nmap.org/book/nse.html```http://malicious.link
 ```

But this approach probably has escapes too - it all depends on markdown library implementation.

I agree with @ilyaglow the advantage of Markdown is to format things like links, so if you think a link could be malicious, then fang it when creating your alert.

We will ensure te markdown fields are as safe as possible.

Was this page helpful?
0 / 5 - 0 ratings