Google Analytics - Stored Cross Site Scripting Vulnerability

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052355 漏洞类型
发布时间 2008-12-08 更新时间 2008-12-08
漏洞平台 N/A CVSS评分 N/A
= Google Analytics - Stored Cross Site Scripting
= Vendor Website:
= Affected Version:
=   --
= Public disclosure on 8th December 2008
Available online at:

== Issue Details == recently conducted a security
review of the Google Analytics service, provided by
Google Inc. Analysis discovered a stored Cross Site
Scripting (XSS) vulnerability present in the Analytics
web application.  A malicious user is able to inject
arbitrary browser content through web sites subscribed
to the Google Analytics service. The script content
injected was rendered into the Google Analytics
Content Detail page which uses an Ajax-based menu to
list the URL and the number of page views of the
visited pages.

The following URL points to the Google Analytics
Content Detail page:


JavaScript Vulnerable:

== Exploit Description - Attacker ==

A malicious user visits site which is
subscribed to the Google Analytics service and employs
the Google Analytics JavaScript tracking code. The
attacker performs the following request which includes
the Cross Site Scripting payload and the Google
Analytics JavaScript function broadcastChange():

Malicious GET Request:");

In the example above, the broadcastChange function is
used to terminate the malicious payload injection and
to make the victim's browser execute the malicious
script with no errors.

The web server responds with HTTP Status 200. The URL
of the page requested and the Cross Site Scripting
payload is passed to the Google Analytics service
through the JavaScript tracking code.

The injected script content results as the following
HTML being generated by the Google Analytics Content
Detail page:

<a title='/search.asp?keyword=test");
/search.asp?keyword=test"); alert(document.cookie);

== Exploit Description - Victim ==

The victim logs into Google Analytics service. The
login page redirects the user to:

The user clicks on the View Reports for its website
(which was attacked with the injection described
The user is redirected to a similar URL:

The user accesses the Content Overview section and
clicks on one of the listed pages. The user is then
redirected to a similar URL (in this example, the user
clicked on index.html):

In the Content Detail page for index.html, an
Ajax-based menu lists the most visited pages and their
relative page views.

When the user clicks on the link of the page which was
attacked, the browser executes the injected payload
from the domain.

Eventually, the user is redirected to the Content
Detail page for the search.asp?keyword=test entry. No
JavaScript errors are returned to the JavaScript

== Impact ==

Cross Site Scripting attacks can be used in
combination with a browser exploitation framework such
as BeEF, Browser Rider, Metasploit browser exploits,
Backweb, Anehta, XSS Proxy and Backframe. These
frameworks allow for complex JavaScript and
browser-based exploit development.

Other potential impacts include:

* Hijacking users browser session;
* Capturing sensitive information viewed by Google
Analytics users;
* Defacement of the Google Analytics website;
* Port scanning of internal user hosts;
* Directed delivery of additional browser-based
exploits, such as ActiveX or URI handler exploits

== Solution == follows responsible disclosure
and promptly contacted Google when the issue was first
discovered. First contact with the vendor was made on
the 25th August 2008.  Confirmation of the
vulnerability was made by Google on the 4th September
On the 3rd December 2008, Google communicated to that Google Analytics has been
fixed. performed a regression
test on the same attack vector and confirmed the issue
has been resolved.

== Credit ==

Discovered and advised to Google Inc.
August 2008 by Roberto Suggi Liverani of
Personal Page:

== Greetings ==

Hello SA guys,
Really L00king forward 'Hacking In The Sun'!!! ;-)

== About == is a New Zealand based world
leader in web application testing, network security
and penetration testing. Our clients include some of
the largest globally recognised companies in areas
such as finance, telecommunications, broadcasting,
legal and government. Our aim is to provide the very
best independent advice and a high level of technical
expertise while creating long and lasting professional
relationships with our clients. is committed to security
research and development, and its team continues to
identify and responsibly publish vulnerabilities in
public and private software vendor's products. Members
of the R&D team are globally
recognised through their release of whitepapers and
presentations related to new security research.
For further information on this issue or any of our
service offerings, contact us

Web Site:

Roberto Suggi Liverani