Google Analytics - Stored Cross Site Scripting Vulnerability

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052355 漏洞类型
发布时间 2008-12-08 更新时间 2008-12-08
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2008120012
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
======================================================
=================
= Google Analytics - Stored Cross Site Scripting
Vulnerability
=
= Vendor Website:
= http://www.google.com
=
= Affected Version:
=   -- http://www.google.com/analytics/
=
= Public disclosure on 8th December 2008
=
======================================================
==================
Available online at:
http://www.security-assessment.com/files/advisories/20
08-12-08_Google_Analytics_Stored_Cross_Site_Scripting.
pdf

== Issue Details ==

Security-Assessment.com recently conducted a security
review of the Google Analytics service, provided by
Google Inc. Analysis discovered a stored Cross Site
Scripting (XSS) vulnerability present in the Analytics
web application.  A malicious user is able to inject
arbitrary browser content through web sites subscribed
to the Google Analytics service. The script content
injected was rendered into the Google Analytics
Content Detail page which uses an Ajax-based menu to
list the URL and the number of page views of the
visited pages.

The following URL points to the Google Analytics
Content Detail page:

URL:
https://www.google.com/analytics/reporting/content_det
ail

JavaScript Vulnerable:
goog.analytics.PropertyManager._getInstance()._broadca
stChange()

== Exploit Description - Attacker ==

A malicious user visits site xxx.com which is
subscribed to the Google Analytics service and employs
the Google Analytics JavaScript tracking code. The
attacker performs the following request which includes
the Cross Site Scripting payload and the Google
Analytics JavaScript function broadcastChange():

Malicious GET Request:

http://xxx.com/search.asp?keyword=test");
alert(document.cookie);
goog.analytics.PropertyManager._getInstance()._broadca
stChange("drilldown","/search.asp?keyword=test")

In the example above, the broadcastChange function is
used to terminate the malicious payload injection and
to make the victim's browser execute the malicious
script with no errors.

The web server responds with HTTP Status 200. The URL
of the page requested and the Cross Site Scripting
payload is passed to the Google Analytics service
through the JavaScript tracking code.

The injected script content results as the following
HTML being generated by the Google Analytics Content
Detail page:

<a title='/search.asp?keyword=test");
alert(document.cookie);
goog.analytics.PropertyManager._getInstance()._broadca
stChange("drilldown","/search.asp?keyword=test'
href='javascript:goog.analytics.PropertyManager._getIn
stance()._broadcastChange
("drilldown","/search.asp?keyword=test");
alert(document.cookie);
goog.analytics.PropertyManager._getInstance()._broadca
stChange("drilldown","/search.asp?keyword=test")'>
/search.asp?keyword=test"); alert(document.cookie);
goog.analytics.PropertyManager._getInstance()._broadca
stChange("drilldown","/search.asp?keyword=test</a>


== Exploit Description - Victim ==

The victim logs into Google Analytics service. The
login page redirects the user to:

https://www.google.com/analytics/settings/

The user clicks on the View Reports for its website
(which was attacked with the injection described
above).
The user is redirected to a similar URL:

https://www.google.com/analytics/reporting/?reset=1&id
=xxxxxxx&scid=yyyyyyy

The user accesses the Content Overview section and
clicks on one of the listed pages. The user is then
redirected to a similar URL (in this example, the user
clicked on index.html):

https://www.google.com/analytics/reporting/content_det
ail?id=xxxxxxx&pdr=20080726-20080825&cmp=average&d1=%2
Findex.html

In the Content Detail page for index.html, an
Ajax-based menu lists the most visited pages and their
relative page views.

When the user clicks on the link of the page which was
attacked, the browser executes the injected payload
from the google.com domain.

Eventually, the user is redirected to the Content
Detail page for the search.asp?keyword=test entry. No
JavaScript errors are returned to the JavaScript
console.

== Impact ==

Cross Site Scripting attacks can be used in
combination with a browser exploitation framework such
as BeEF, Browser Rider, Metasploit browser exploits,
Backweb, Anehta, XSS Proxy and Backframe. These
frameworks allow for complex JavaScript and
browser-based exploit development.

Other potential impacts include:

* Hijacking users browser session;
* Capturing sensitive information viewed by Google
Analytics users;
* Defacement of the Google Analytics website;
* Port scanning of internal user hosts;
* Directed delivery of additional browser-based
exploits, such as ActiveX or URI handler exploits

== Solution ==

Security-Assessment.com follows responsible disclosure
and promptly contacted Google when the issue was first
discovered. First contact with the vendor was made on
the 25th August 2008.  Confirmation of the
vulnerability was made by Google on the 4th September
2008.
On the 3rd December 2008, Google communicated to
Security-Assessment.com that Google Analytics has been
fixed. Security-Assessment.com performed a regression
test on the same attack vector and confirmed the issue
has been resolved.

== Credit ==

Discovered and advised to Google Inc.
August 2008 by Roberto Suggi Liverani of
Security-Assessment.com
Personal Page: http://malerisch.net

== Greetings ==

Hello SA guys,
Really L00king forward 'Hacking In The Sun'!!! ;-)

== About Security-Assessment.com ==

Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Our clients include some of
the largest globally recognised companies in areas
such as finance, telecommunications, broadcasting,
legal and government. Our aim is to provide the very
best independent advice and a high level of technical
expertise while creating long and lasting professional
relationships with our clients.
Security-Assessment.com is committed to security
research and development, and its team continues to
identify and responsibly publish vulnerabilities in
public and private software vendor's products. Members
of the Security-Assessment.com R&D team are globally
recognised through their release of whitepapers and
presentations related to new security research.
For further information on this issue or any of our
service offerings, contact us

Web Site: www.security-assessment.com

Roberto Suggi Liverani
Security-Assessment.com