TheHive Hyperlinking #723
Comments
|
Well, how do you produce the alert description that contains links? |
|
Alert description uses Markdown, which turns URLs to links automatically, which is actually handy. I think it would be better to preprocess your ElastAlert message in first place and properly escape untrusted data, so analysts won't accidentally click on malicious link, if this is your case. |
|
I would use the code blocks feature when creating the alert description. So from clickable http://nmap.org/book/nse.html you'll have non-clickable Thanks to ``` |
|
@ninSmith it's kinda dangerous, because input may contain triple backticks :) Also we can try to split untrusted data by new line character and pass each one on a new line prefixed with 4 spaces - it will work like the same code block: But this approach probably has escapes too - it all depends on markdown library implementation. |
|
I agree with @ilyaglow the advantage of Markdown is to format things like links, so if you think a link could be malicious, then fang it when creating your alert. We will ensure te markdown fields are as safe as possible. |
Request Type
Bug (Security Issue)
Problem Description
If you open Alert Preview window with some data in it (values pulled from elastalert), look at the link from captured User-Agent value for example. This value can be anything that attacker put in HTTP User-Agent: field (including malicious link), and it's automatically hyperlinked in TheHive GUI (in Case preview also).
Possible Solutions
Do not hyper link values in The Hive GUI that are pulled from elastalert in TheHive. :)
Or... it will be nice to have an option to disable hyperlinking behavior.
Complementary information
The text was updated successfully, but these errors were encountered: