SEO News
Search

How XSS HTML Injection Might Let Others Put Links On Your Sites

by , Comments

SEOMoz has some excellent examples of government sites that are susceptible to cross site (XSS) html injection, something that can also happen to any site. Let me first do my best to explain what this means in layman terms (hope I get it right).

In the examples shown at SEOMoz, they were able to add the link that looks like "<h1><a href="http://www.example.com">Look, I made a link</a></h1>" in the HTML to a new page hosted on a .gov site. Now, the page is a brand new, dynamically generated page, because the HTML itself is injected via the URL, which may look something like;

textQuery=%3Ch1%3E%3Ca+href%3D%22 http%3A%2F%2Fwww.example.com%22%3E Look%2C+I+made+a+link %3C%2Fa%3E%3C/h1%3E

The examples are still live, here is one of twenty, epa.gov link.

Now, if the search engines index this page - and they will, if there are enough links pointing to this new page, the search engines may assign higher weight to the links on this page, since it is a .gov link and thus benefit the injected links.

This exploit was first made public in mid-June. This is something that can happen to almost any site or any server. Google itself is not immune to this exploit, they suffered from it in early July. And I also had an exploit on one of the tools at rustybrick.com that people began exploiting.

I personally commend SEOMoz for posting the details on the 20 governmental sites with this exploit. They should ensure that their sites do not have this vulnerability and someone pointing this out, will help (encourage) them do something about it.


The Original Search Marketing Event is Back!
SES DenverSES Denver (Oct 16) offers an intense day of learning all the critical aspects of search engine optimization (SEO) and paid search advertising (PPC). The mission of SES remains the same as it did from the start - to help you master being found on search engines. Register today!

Recommend this story

comments powered by Disqus