Blind XSS in Google Analytics Admin Panel — $3133.70

Introduction

This article is a write up on how I found a Blind XSS in Google Analytics Admin Panel where I was rewarded with $3133.70

Currently I am ranked in Top 200 at Google Hackers Ranking,

What is Blind XSS

Blind XSS vulnerabilities are a variant of persistent XSS vulnerabilities. They occur when the attacker input is saved by the web server and executed as a malicious script in another part of the application or in another application. For example, an attacker injects a malicious payload into a contact/feedback page and when the administrator of the application is reviewing the feedback entries the attacker’s payload will be loaded. The attacker input can be executed in a completely different application (for example an internal application where the administrator reviews the access logs or the application exceptions).

Vulnerability exploitation

As we all know Google is having large scope to hack and its very difficult to understand where to find bugs and what to hack. So after getting Stored XSS in Google Ads, this time my target was Google Analytics.

It was almost 4–5 days I was testing on Google Analytics, I tried Privilege Escalation, IDOR, Stored XSS, Logical bugs etc. but I was failed I didn’t get anything, So every time when I want to leave and stop testing for a particular target I end up with Blind XSS.

So I started hunting for Blind XSS and adding XSS Hunter payloads while Creating account, dashboard alerts and everything.

Lastly I added payloads into Feedback Form.

I waited for couple of days but didn't get any XSS Hunter notification, so this time I changed my methodology. I installed Google Analytics Android Application and in that I added my payloads in Feedback form again, and this time intercepted the request for feedback and…