December 8, 2008

Security advisory

= Google Analytics - Stored Cross Site Scripting Vulnerability
= Vendor Website:
= Affected Version:
= --
= Public disclosure on 8th December 2008
Available online at:

== Issue Details == recently conducted a security review of the Google Analytics service, provided by Google Inc. Analysis discovered a stored Cross Site Scripting (XSS) vulnerability present in the Analytics web application. A malicious user is able to inject arbitrary browser content through web sites subscribed to the Google Analytics service. The script content injected was rendered into the Google Analytics Content Detail page which uses an Ajax-based menu to list the URL and the number of page views of the visited pages.

The following URL points to the Google Analytics Content Detail page:

URL: ail

JavaScript Vulnerable: stChange()

== Exploit Description - Attacker ==

A malicious user visits site which is subscribed to the Google Analytics service and employs
the Google Analytics JavaScript tracking code. The attacker performs the following request which includes
the Cross Site Scripting payload and the Google Analytics JavaScript function broadcastChange():

Malicious GET Request:");

In the example above, the broadcastChange function is used to terminate the malicious payload injection and to make the victim’s browser execute the malicious script with no errors.

The web server responds with HTTP Status 200. The URL of the page requested and the Cross Site Scripting payload is passed to the Google Analytics service through the JavaScript tracking code.

The injected script content results as the following HTML being generated by the Google Analytics Content
Detail page:

<a title='/search.asp?keyword=test");
/search.asp?keyword=test"); alert(document.cookie);

== Exploit Description - Victim ==

The victim logs into Google Analytics service. The login page redirects the user to:

The user clicks on the View Reports for its website (which was attacked with the injection described
The user is redirected to a similar URL:

The user accesses the Content Overview section and clicks on one of the listed pages. The user is then
redirected to a similar URL (in this example, the user clicked on index.html):

In the Content Detail page for index.html, an Ajax-based menu lists the most visited pages and their
relative page views.

When the user clicks on the link of the page which was attacked, the browser executes the injected payload from the domain.

Eventually, the user is redirected to the Content Detail page for the search.asp?keyword=test entry. No
JavaScript errors are returned to the JavaScript console.

== Impact ==

Cross Site Scripting attacks can be used in combination with a browser exploitation framework such
as BeEF, Browser Rider, Metasploit browser exploits, Backweb, Anehta, XSS Proxy and Backframe. These frameworks allow for complex JavaScript and browser-based exploit development.

Other potential impacts include:

* Hijacking users browser session;
* Capturing sensitive information viewed by Google
Analytics users;
* Defacement of the Google Analytics website;
* Port scanning of internal user hosts;
* Directed delivery of additional browser-based
exploits, such as ActiveX or URI handler exploits

== Credit ==

Discovered and advised to Google Inc.
August 2008 by Roberto Suggi Liverani of
Personal Page:

== Greetings ==

Hello SA guys,
Really L00king forward 'Hacking In The Sun'!!! ;-)

Share - permalink - Comment/Contact me