Service abuse: Google Tag Manager debug cookie clearing with open redirect potential

calendar Apr 27, 2026  ·
Share on: linkedin copy

Detects messages containing links to Google Tag Manager's debug cookie clearing endpoint with suspicious URL parameters that may be exploited for open redirects, or links that have been rewritten through Google Tag Manager encoding methods.

Sublime rule (View on GitHub)

 1name: "Service abuse: Google Tag Manager debug cookie clearing with open redirect potential"
 2description: "Detects messages containing links to Google Tag Manager's debug cookie clearing endpoint with suspicious URL parameters that may be exploited for open redirects, or links that have been rewritten through Google Tag Manager encoding methods."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          (
 9            .href_url.domain.root_domain == "googletagmanager.com"
10            and .href_url.path == "/debug/clearcookies"
11            and any(.href_url.query_params_decoded["url"],
12                    strings.parse_url(.).domain.valid
13            )
14          )
15          or 'google_tag_manager' in .href_url.rewrite.encoders
16  )  
17attack_types:
18  - "Credential Phishing"
19tactics_and_techniques:
20  - "Open redirect"
21  - "Service abuse"
22detection_methods:
23  - "URL analysis"
24  - "Content analysis"
25id: "a69a939a-7c2d-537d-b476-ac99daf6d3d9"
to-top