How XSS HTML Injection Might Let Others Put Links On Your Sites

SEOMoz has some excellent examples of government sites that are susceptible to cross site (XSS) html injection, something that can also happen to any site. Let me first do my best to explain what this means in layman terms (hope I get it right).

In the examples shown at SEOMoz, they were able to add the link that looks like “<h1><a href=””>Look, I made a link</a></h1>” in the HTML to a new page hosted on a .gov site. Now, the page is a brand new, dynamically generated page, because the HTML itself is injected via the URL, which may look something like;

textQuery=%3Ch1%3E%3Ca+href%3D%22 Look%2C+I+made+a+link

The examples are still live, here is one of twenty, link.

Now, if the search engines index this page – and they will, if there are enough links pointing to this new page, the search engines may assign higher weight to the links on this page, since it is a .gov link and thus benefit the injected links.

This exploit was first made public in mid-June. This is something that can happen to almost any site or any server. Google itself is not immune to this exploit, they suffered from it in early July. And I also had an exploit on one of the tools at that people began exploiting.

I personally commend SEOMoz for posting the details on the 20 governmental sites with this exploit. They should ensure that their sites do not have this vulnerability and someone pointing this out, will help (encourage) them do something about it.

Related reading

A word cloud for the term 'branding' on the screen of a tablet.
Simple Share Buttons