Main
Use SSL

Black hat SEO through XSS holes

3 October 2007


XSS allows an attacker to insert arbitrary HTML code into the victim's website. Now, you may ask- how is this related to any kind of SEO?

Well, if you could place an <a href> tag with a link to your site, say, on cnn.com, this would be awesome- right? Sure it would be. If you can find an XSS hole in a major site, this can easily be used for SEO.

Let's say you've got a vulnerable URL that looks like this: http://major-site.com/vuln.php?s=XSS . Instead of "XSS", you could inject some text with a link to your site. The XSS may not be persistent, and it doesn't have to be. Just post this URL on some other websites (discussion boards, or whatever), and wait for Googlebot to pick it up. You will have a one-way link from a major site in no time.

And even better. This kind of tactic doesn't require full-blown XSS holes. I've read this on another blog (http://ha.ckers.org/blog/20070919/another-fun-seo-blackhat-spam-tactic/ ),
And apparently the Google search available on cnn.com (and many other large sites have this feature on them) allows you to use the "site:" thing in the search query. Not only that, Google seems to pick up it's own search results as genuine links from cnn.com . This means that by posting a URL like: http://search.cnn.com/search?query=site%3Amy-ste.com&type=&sortBy=&intl= on some other website, you get yourself a pretty high rated link from CNN.

And that's not limited to links. Take a look at this: http://search.cnn.com/search?query=site:pills-supplier.com?buy-viagra .

The page contains the keywords "buy Viagra", links to a Viagra supplier website, and is located on cnn.com . This sure means something to Googlebot as an incoming link, but it also means something as a search result upon itself. This very URL appears on the second results page for the query "buy Viagra" on Google (don't know how much longer this will persist).

Obviously, this is pretty impressive for an almost no-work trick. I mean, all the guy did was to place this URL somewhere Googlebot visits. That's all.

When users search for the keywords, and see a result on cnn.com, they're likely to check it out. When they see outgoing links on that page, they will probably click them as well . Evidently, this results in lots of traffic to the destination website, and generates cash.

With a lucky XSS hole, you could even get some text on the front page of a website. Even if the XSS is not persistent, as long as Googlebot visits the XSS link, it sees what you want it to see. Actually, it's better for the XSS to be non-persistent, since it will probably go un-noticed by the webmasters.

Only problem of course, is that finding XSS on websites such as cnn.com is close to impossible. However, if you do pull something like this off, I'd love to know how it went =)

Posted by: kGen | In category: Black hat SEO | Comments (0)