Blind XSS in Google Analytics Admin Panel — $3133.70

Introduction

This article is a write up on how I found a Blind XSS in Google Analytics Admin Panel where I was rewarded with $3133.70

Currently I am ranked in Top 200 at Google Hackers Ranking,

What is Blind XSS

Blind XSS vulnerabilities are a variant of persistent XSS vulnerabilities. They occur when the attacker input is saved by the web server and executed as a malicious script in another part of the application or in another application. For example, an attacker injects a malicious payload into a contact/feedback page and when the administrator of the application is reviewing the feedback entries the attacker’s payload will be loaded. The attacker input can be executed in a completely different application (for example an internal application where the administrator reviews the access logs or the application exceptions).

Vulnerability exploitation

As we all know Google is having large scope to hack and its very difficult to understand where to find bugs and what to hack. So after getting Stored XSS in Google Ads, this time my target was Google Analytics.

It was almost 4–5 days I was testing on Google Analytics, I tried Privilege Escalation, IDOR, Stored XSS, Logical bugs etc. but I was failed I didn’t get anything, So every time when I want to leave and stop testing for a particular target I end up with Blind XSS.

So I started hunting for Blind XSS and adding XSS Hunter payloads while Creating account, dashboard alerts and everything.

Lastly I added payloads into Feedback Form.

I waited for couple of days but didn't get any XSS Hunter notification, so this time I changed my methodology. I installed Google Analytics Android Application and in that I added my payloads in Feedback form again, and this time intercepted the request for feedback and then added payloads in User-agent and other fields and forwarded the request.

Again waited for couple of weeks but didn’t get anything, so I lost all my hopes but remember “LIFE HAPPENS WHEN YOU LEAST EXPECT IT”.

So in morning I received mail from XSS Hunter saying my payload got executed and I was,

My payload got executed here,

Without wasting time I wrote a nice report and sent to Google and after somedays I got reply from Google saying,

And after 2–3 weeks I received mail again and this time I was rewarded with $3133.70

Happy to Hack Google again !!

If you need any help or want to connect, you can connect with me via LinkedIn at https://in.linkedin.com/in/ashish-dhone-640489135

I hope it will help you somewhere with your journey !!

Thanks for Reading !!

./Keep_Hacking

Information Security Analyst at Persistent Systems | Synack Red Team Member | CEH v10 | CEH Master | Bug Bounty Hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store