Blind XSS in Google Analytics Admin Panel — $3133.70

Introduction

This article is a write up on how I found a Blind XSS in Google Analytics Admin Panel where I was rewarded with $3133.70

Currently I am ranked in Top 200 at Google Hackers Ranking,

What is Blind XSS

Blind XSS vulnerabilities are a variant of persistent XSS vulnerabilities. They occur when the attacker input is saved by the web server and executed as a malicious script in another part of the application or in another application. For example, an attacker injects a malicious payload into a contact/feedback page and when the administrator of the application is reviewing the feedback entries the attacker’s payload will be loaded. The attacker input can be executed in a completely different application (for example an internal application where the administrator reviews the access logs or the application exceptions).

Vulnerability exploitation

As we all know Google is having large scope to hack and its very difficult to understand where to find bugs and what to hack. So after getting Stored XSS in Google Ads, this time my target was Google Analytics.

It was almost 4–5 days I was testing on Google Analytics, I tried Privilege Escalation, IDOR, Stored XSS, Logical bugs…