Adobe Analytics

jfleming2 · 12/20/22

Starting in November we saw Adobe capture weird values in the eVar we have set up for New/Repeat visitor that uses the plug-in. Here are some examples:

New'and(select*from(select+sleep(2))a/**/union/**/select+1)='
"New""and(select*from(select+sleep(2))a/**/union/**/select+1)="""
New'and(select'1'from/**/cast(md5(1952298297)as/**/int))>'0
"New""and(select*from(select+sleep(0))a/**/union/**/select+1)="""
New'and(select*from(select+sleep(0))a/**/union/**/select+1)='

The two instances in which this has happened, all values were captured on the same day, same time, same everything and are only one visit, one visitor, one everything. The only values that should show up should only be New, Repeat or Unspecified. Has anyone else come across this?

Jennifer_Dungan · 12/20/22

That looks like someone was running a web vulnerability test on your website (or actively trying to hack your website to find SQL Injection vulnerabilities).

This is not a result of the plugin; but rather a result of a tool trying to check for SQL Injection vulnerabilities by inserting SQL code everywhere possible.

I suspect this was the result of a internal security audit, a tool that will test benign SQL code and see if they get any results back that look like the SQL commands ran. Unfortunately, this sometimes results in Adobe dimensions unintentionally picking up those commands and storing them as text values.

You should check with your DevOps / IT / Security departments and see if they are the ones running the tests... if not, this could potentially be someone trying to find a vulnerability to exploit.... just because you see the commands in your data does not necessarily mean you are vulnerable; but if this wasn't your team, you should do your due diligence in trying to identify where it's coming from (and make sure that your site is secure).

View solution in original post

Jennifer_Dungan · 12/20/22

That looks like someone was running a web vulnerability test on your website (or actively trying to hack your website to find SQL Injection vulnerabilities).

This is not a result of the plugin; but rather a result of a tool trying to check for SQL Injection vulnerabilities by inserting SQL code everywhere possible.

I suspect this was the result of a internal security audit, a tool that will test benign SQL code and see if they get any results back that look like the SQL commands ran. Unfortunately, this sometimes results in Adobe dimensions unintentionally picking up those commands and storing them as text values.

You should check with your DevOps / IT / Security departments and see if they are the ones running the tests... if not, this could potentially be someone trying to find a vulnerability to exploit.... just because you see the commands in your data does not necessarily mean you are vulnerable; but if this wasn't your team, you should do your due diligence in trying to identify where it's coming from (and make sure that your site is secure).

Adobe Analytics

Unexpected values from Adobe New/Repeat Visitor plug-in

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe