Fwd: [security-lunch] Jun 24 | Muhammad Jazlan on "SST-Guard: Detecting and Characterizing Server-Side Google Analytics in the Wild"

4 views
Skip to first unread message

Alan Karp

unread,
Jun 22, 2026, 6:51:05 PM (9 days ago) Jun 22
to <friam@googlegroups.com>

--------------
Alan Karp


---------- Forwarded message ---------
From: Michael Leo Paper via security-lunch <securit...@lists.stanford.edu>
Date: Mon, Jun 22, 2026 at 2:29 PM
Subject: [security-lunch] Jun 24 | Muhammad Jazlan on "SST-Guard: Detecting and Characterizing Server-Side Google Analytics in the Wild"
To: securit...@lists.stanford.edu <securit...@lists.stanford.edu>


Security Lunch ☀️ Ed. — Wednesday,  June 24th, 2026, 12:00 pm @ CoDa E160

SST-Guard: Detecting and Characterizing Server-Side Google Analytics in the Wild
Muhammad Jazlan
Can't make it in person? Join us on zoom.
See our past & upcoming events on our website


Abstract: 
As web browsers increasingly implement tracking protection features, the web tracking ecosystem has started to shift from the client-side to the server-side. Instead of sending requests directly to the tracker’s endpoint, server-side tracking (SST) sends tracking requests to publisher-controlled or intermediary endpoints that then forward the information to trackers server-side. As a result, client-side tracking protections become fragile because direct client-to-tracker requests may no longer be observed.
In this paper, we investigate the server-side implementation of Google Analytics (sGA), the most widely deployed third-party tracking service on the web today. We present SST-Guard, a multi-modal browser-based system for detecting sGA despite endpoint customization and payload obfuscation. The key insight behind SST-Guard is that common sGA deployments change the standard Google Analytics endpoints, but still leave semantic artifacts of data collection by Google Analytics in the browser, including identifiers, event metadata, cookies, and JavaScript state. Therefore, rather than detecting requests to the standard Google Analytics endpoints, SST-Guard aims to detect underlying artifacts of collection and sharing of these semantic values to any arbitrary endpoint. Operationalizing this insight is challenging because real-world sGA deployments commonly customize endpoints and obfuscate URLs/payloads. SST-Guard addresses this challenge using a value-template approach that employs regular expressions to match semantic value pat-
terns across multiple modalities: network requests, cookies, and the window object.
We validate SST-Guard on Tranco top-10k websites, detecting 4.02% (403) sGA domains with over 93% accuracy across three modalities, with network request classifier demonstrating the highest accuracy (99.8%). Deploying SST-Guard at scale, we detect sGA on 4.21% (6,314) of Tranco top-150K websites. Our analysis shows that many sGA deployments use first-party subdomains, direct A/AAAA records, custom paths, or encoded payloads that circumvent existing defenses.

Bio:
Muhammad Jazlan is a second-year Computer Science PhD student at UC Davis, advised by Zubair Shafiq and Alexander Gamero-Garrido. He works on privacy and security on the web, with a focus on tracking in the browser. His recent work includes SST-Guard and Tracking Conversations. He is also working on generating stable hardware fingerprints in the browser and studying tracking in AI chatbots and AI-powered browsers. He is currently a privacy researcher at VaultJS.
_______________________________________________
security-lunch mailing list
securit...@lists.stanford.edu
https://mailman.stanford.edu/mailman/listinfo/security-lunch
Reply all
Reply to author
Forward
0 new messages