Background:
Application analytics is becoming very important aspect from
business standpoint across companies and ventures. It is even more important
for consumer centric sites like eCommerece, portals, mobile apps etc. Analytics
server are usually third party owned and application owner integrates the code
and force browser session to push some data cross domain to those servers.
Problem Domain:
Let's take this example, application running an eCommerce portal has implemented
third party analytics services like shown in figure 1. This server is well
guarded by firewall and applied secure coding practices on major components
across the application. Portal is utilizing analytics services and this service
can be integrated with JavaScript, which needs to be implemented across various sets of
pages.
Figure 1 – Analytics Deployment for Target Application
This type of scenario brings some unique threats, if application
integration with analytics server is not securely done. Here is the list of issues
we have observed during our consulting engagements.
- Developers may have blindly integrated code on each pages, links or visited URLs are going to analytics server for analysis. In that case, certain pages like forget password, reset password, SSO page etc. All these pages have URL with sensitive tokens. These tokens can end up providing access to the site and user sessions can be compromised. This is one of the major threats we have observed across many applications.
- Analytics server is running over non-SSL channel and it may end up exposing traffic and certain sensitive information.
- In certain cases JS implementation code of third party component is having DOM based XSS and open redirect types of vulnerabilities, which can be exploited.
- Analytics server is running with certain open ports and can be compromised in very few cases.
It is imperative to evaluate analytics code and their
integration from development standpoint. Code should be analyzed for vulnerabilities
and it should be integrated to selected pages only. No point in putting its
integration on all pages and it may end up sending sensitive tokens to the
analytics server. Also, deployment of analytics server with open ports,
security posture and communication channel should be carefully evaluated.