Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross Site Script Attack is breaking the Reporting API #10835

Closed
ehuebner opened this issue Nov 4, 2016 · 3 comments
Closed

Cross Site Script Attack is breaking the Reporting API #10835

ehuebner opened this issue Nov 4, 2016 · 3 comments
Labels
answered For when a question was asked and we referred to forum or answered it.

Comments

@ehuebner
Copy link

ehuebner commented Nov 4, 2016

One of my Piwik tracked sites is attacked by cross site scripting. With a search term like

<script>_exploit_dom_xss()</script>

it breaks the output of the reporting API.
When i request the search keywords for an month with multiple results by calling:

module=API&method=Actions.getSiteSearchKeywords&idSite=&period=month&date=2016-10-01,2016-10-31&format=JSON&filter_limit=100000000&token_auth=

i only get:
`{

"2016-10": [
    {
        "label": "\"><script>_exploit_dom_xss()</script>",
        "nb_visits": 2,
        "nb_hits": 381,
        "sum_time_spent": 1105,
        "exit_nb_visits": 1,
        "nb_pages_per_search": 190.5,
        "avg_time_on_page": 3,
        "bounce_rate": "0%",
        "exit_rate": "50%"
    }
]

}`

Looks like the attack search term breaks the output of the API. Is there some way to prevent and fix that?
@pebosi
Copy link
Contributor

pebosi commented Nov 7, 2016

The result is valid JSON. Maybe post the complete output and provide more information about your Piwik Installation.

@mattab
Copy link
Member

mattab commented Nov 11, 2016

Yes it looks like correct JSON so please re-open if you get invalid output

@mattab mattab closed this as completed Nov 11, 2016
@mattab mattab added the answered For when a question was asked and we referred to forum or answered it. label Nov 11, 2016
@ehuebner
Copy link
Author

Yes the JSON is valid but the october array has only one entry but it should have around 100 different search keywords (I can see them in the visitor logs). But because, like mentioned, the script tag label breaks the API output, there is only one element. It seems like the output ist stopping after the script tag occurs.

I have 104 sites with the same software installed and the api call is working for all of them perfectly except for the one site with that script tag in the search keyword.

@pebosi This is the compleate output and it have Piwik 2.16.1 installed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered For when a question was asked and we referred to forum or answered it.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pebosi @mattab @ehuebner