Google Analytics Stored Cross Site Scripting

`======================================================  
=================  
= Google Analytics - Stored Cross Site Scripting  
Vulnerability  
=  
= Vendor Website:  
= http://www.google.com  
=  
= Affected Version:  
= -- http://www.google.com/analytics/  
=  
= Public disclosure on 8th December 2008  
=  
======================================================  
==================  
Available online at:  
http://www.security-assessment.com/files/advisories/20  
08-12-08_Google_Analytics_Stored_Cross_Site_Scripting.  
pdf  
  
== Issue Details ==  
  
Security-Assessment.com recently conducted a security  
review of the Google Analytics service, provided by  
Google Inc. Analysis discovered a stored Cross Site  
Scripting (XSS) vulnerability present in the Analytics  
web application. A malicious user is able to inject  
arbitrary browser content through web sites subscribed  
to the Google Analytics service. The script content  
injected was rendered into the Google Analytics  
Content Detail page which uses an Ajax-based menu to  
list the URL and the number of page views of the  
visited pages.  
  
The following URL points to the Google Analytics  
Content Detail page:  
  
URL:  
https://www.google.com/analytics/reporting/content_det  
ail  
  
JavaScript Vulnerable:  
goog.analytics.PropertyManager._getInstance()._broadca  
stChange()  
  
== Exploit Description - Attacker ==  
  
A malicious user visits site xxx.com which is  
subscribed to the Google Analytics service and employs  
the Google Analytics JavaScript tracking code. The  
attacker performs the following request which includes  
the Cross Site Scripting payload and the Google  
Analytics JavaScript function broadcastChange():  
  
Malicious GET Request:  
  
http://xxx.com/search.asp?keyword=test");  
alert(document.cookie);  
goog.analytics.PropertyManager._getInstance()._broadca  
stChange("drilldown","/search.asp?keyword=test")  
  
In the example above, the broadcastChange function is  
used to terminate the malicious payload injection and  
to make the victim's browser execute the malicious  
script with no errors.  
  
The web server responds with HTTP Status 200. The URL  
of the page requested and the Cross Site Scripting  
payload is passed to the Google Analytics service  
through the JavaScript tracking code.  
  
The injected script content results as the following  
HTML being generated by the Google Analytics Content  
Detail page:  
  
<a title='/search.asp?keyword=test");  
alert(document.cookie);  
goog.analytics.PropertyManager._getInstance()._broadca  
stChange("drilldown","/search.asp?keyword=test'  
href='javascript:goog.analytics.PropertyManager._getIn  
stance()._broadcastChange  
("drilldown","/search.asp?keyword=test");  
alert(document.cookie);  
goog.analytics.PropertyManager._getInstance()._broadca  
stChange("drilldown","/search.asp?keyword=test")'>  
/search.asp?keyword=test"); alert(document.cookie);  
goog.analytics.PropertyManager._getInstance()._broadca  
stChange("drilldown","/search.asp?keyword=test</a>  
  
  
== Exploit Description - Victim ==  
  
The victim logs into Google Analytics service. The  
login page redirects the user to:  
  
https://www.google.com/analytics/settings/  
  
The user clicks on the View Reports for its website  
(which was attacked with the injection described  
above).  
The user is redirected to a similar URL:  
  
https://www.google.com/analytics/reporting/?reset=1&id  
=xxxxxxx&scid=yyyyyyy  
  
The user accesses the Content Overview section and  
clicks on one of the listed pages. The user is then  
redirected to a similar URL (in this example, the user  
clicked on index.html):  
  
https://www.google.com/analytics/reporting/content_det  
ail?id=xxxxxxx&pdr=20080726-20080825&cmp=average&d1=%2  
Findex.html  
  
In the Content Detail page for index.html, an  
Ajax-based menu lists the most visited pages and their  
relative page views.  
  
When the user clicks on the link of the page which was  
attacked, the browser executes the injected payload  
from the google.com domain.  
  
Eventually, the user is redirected to the Content  
Detail page for the search.asp?keyword=test entry. No  
JavaScript errors are returned to the JavaScript  
console.  
  
== Impact ==  
  
Cross Site Scripting attacks can be used in  
combination with a browser exploitation framework such  
as BeEF, Browser Rider, Metasploit browser exploits,  
Backweb, Anehta, XSS Proxy and Backframe. These  
frameworks allow for complex JavaScript and  
browser-based exploit development.  
  
Other potential impacts include:  
  
* Hijacking users browser session;  
* Capturing sensitive information viewed by Google  
Analytics users;  
* Defacement of the Google Analytics website;  
* Port scanning of internal user hosts;  
* Directed delivery of additional browser-based  
exploits, such as ActiveX or URI handler exploits  
  
== Solution ==  
  
Security-Assessment.com follows responsible disclosure  
and promptly contacted Google when the issue was first  
discovered. First contact with the vendor was made on  
the 25th August 2008. Confirmation of the  
vulnerability was made by Google on the 4th September  
2008.  
On the 3rd December 2008, Google communicated to  
Security-Assessment.com that Google Analytics has been  
fixed. Security-Assessment.com performed a regression  
test on the same attack vector and confirmed the issue  
has been resolved.  
  
== Credit ==  
  
Discovered and advised to Google Inc.  
August 2008 by Roberto Suggi Liverani of  
Security-Assessment.com  
Personal Page: http://malerisch.net  
  
== Greetings ==  
  
Hello SA guys,  
Really L00king forward 'Hacking In The Sun'!!! ;-)  
  
== About Security-Assessment.com ==  
  
Security-Assessment.com is a New Zealand based world  
leader in web application testing, network security  
and penetration testing. Our clients include some of  
the largest globally recognised companies in areas  
such as finance, telecommunications, broadcasting,  
legal and government. Our aim is to provide the very  
best independent advice and a high level of technical  
expertise while creating long and lasting professional  
relationships with our clients.  
Security-Assessment.com is committed to security  
research and development, and its team continues to  
identify and responsibly publish vulnerabilities in  
public and private software vendor's products. Members  
of the Security-Assessment.com R&D team are globally  
recognised through their release of whitepapers and  
presentations related to new security research.  
For further information on this issue or any of our  
service offerings, contact us  
  
Web Site: www.security-assessment.com  
  
Roberto Suggi Liverani  
Security-Assessment.com  
  
`