SEO News
Search

How XSS HTML Injection Might Let Others Put Links On Your Sites

by , Comments

SEOMoz has some excellent examples of government sites that are susceptible to cross site (XSS) html injection, something that can also happen to any site. Let me first do my best to explain what this means in layman terms (hope I get it right).

In the examples shown at SEOMoz, they were able to add the link that looks like "<h1><a href="http://www.example.com">Look, I made a link</a></h1>" in the HTML to a new page hosted on a .gov site. Now, the page is a brand new, dynamically generated page, because the HTML itself is injected via the URL, which may look something like;

textQuery=%3Ch1%3E%3Ca+href%3D%22 http%3A%2F%2Fwww.example.com%22%3E Look%2C+I+made+a+link %3C%2Fa%3E%3C/h1%3E

The examples are still live, here is one of twenty, epa.gov link.

Now, if the search engines index this page - and they will, if there are enough links pointing to this new page, the search engines may assign higher weight to the links on this page, since it is a .gov link and thus benefit the injected links.

This exploit was first made public in mid-June. This is something that can happen to almost any site or any server. Google itself is not immune to this exploit, they suffered from it in early July. And I also had an exploit on one of the tools at rustybrick.com that people began exploiting.

I personally commend SEOMoz for posting the details on the 20 governmental sites with this exploit. They should ensure that their sites do not have this vulnerability and someone pointing this out, will help (encourage) them do something about it.


SES LondonOptimising Digital Marketing Campaigns with Search, Social and Analytics
At SES London (9-11 Feb) you'll get an overview of the latest tools, tips, and tactics in Paid, Owned, Earned, Integrated Media and Business Intelligence to streamline your marketing campaigns in 2015. Register by 31 October to take advantage of Early Bird Rates.

Recommend this story

comments powered by Disqus