How to use XSS vulnerability to inject links into other sites?

  • What is an XSS attack
  • How to use XSS vulnerability to inject links into other people’s websites
  • Does XSS attack injected links have any effect?
  • What is the potential impact on search results?

Cheating and black hat SEO

Black hat SEO, as opposed to white hat, refers to the use of optimization methods that violate search engine quality norms to improve rankings. While black-hat SEO is not advocated, understanding black-hat optimization techniques, common software tools, is the best way to avoid punishment.

Last year, British SEO veteran Tom Anthony exposed a vulnerability in The Google Spider, which could be used by black hat SEOs to inject links into other people’s websites, and those links are sure to be captured by the Google spider. This vulnerability, if exploited on a large scale, will obviously affect weight flow and search rankings.

Tom reported the bug to Google in November 2018, but so far Google has shown no intention of addressing it, stating that “Google’s existing safeguards should prevent such abuse, but the team is reviewing the validation.” In addition, Google mentioned some “internal communication difficulties” in its reply to Tom. Does the company always have such problems when it is big?

After 5 months of no action from Google, Tom decided to publish the vulnerability so that webmasters could check their sites for XSS vulnerabilities and take precautions against links being injected into their sites. Google seems confident that it will allow Tom to publish the information.

What is an XSS attack

XSS attack is short for Cross Site Scripting, which stands for cross-site Scripting attack. Cross Site Scripting is supposed to stand for CSS, but it’s a duplicate of CSS for page stylesheets, so cross-site Scripting attacks were changed to XSS.

XSS is a code injection attack. Most sites have some functionality where scripts can change urls at will, such as the search function, UGC user-contributed content site submission function, scripting redirect and so on. For search concepts, urls are often something like domain.com/search.php?keyword or domain.com/?s=keyword, where the keyword can be replaced with any character.

So what happens when the keyword part is replaced with a script? Such as domain.com/?s= < script > alert (‘ XSS) < / script >. A site with this vulnerability does not perform security filtering when injecting malicious scripts into the URL, and the browser does not recognize the malicious scripts, so it executes malicious scripts.

XSS can be used to retrieve sensitive user information, make requests to websites as impersonators, etc., and execute scripts to insert content into the generated HTML code, which is a vulnerability that black Hat SEO can exploit to inject links.

How to use XSS vulnerability to inject links into other people’s websites

Change the parameters in the URL and replace them with scripts that the browser executes to insert content in the HTML, so you can insert links as well. Of course, if only the user’s browser displays the link, the search engine does not grab the URL, black hat SEO will not be interested. The problem is that the Google spider can grab the URL of the injected script, and it can also execute JS, so it can see the injected link.

One way to prevent XSS attacks is for server-side programs to do security filtering, the most basic of which is to escape HTML and treat it as a string to be searched, not as a script to be executed. The second is browser XSS recognition, many browsers (such as Chrome) see suspicious characters such as script in the URL, will directly refuse to open the page.

If Google Spider were as capable of recognizing XSS attacks as Google’s own Chrome browser, and the URL with the injected script didn’t crawl at all, nothing would matter. But according to the official Google document, so far, Google Spider uses an older version of Chrome 41, which doesn’t have XSS recognition. Therefore, sites with XSS vulnerabilities are likely to be captured by Google spiders at the URL of the injected link.

Tom did the experiment. Revolut has an XSS bug (Omg, bank website has an XSS bug). Tom constructs a URL for Revolut with an injection script that the browser executes and places a link at the top of the page. What does the Google spider do with this URL? Tom checked it out with Google’s mobile-friendly page test tool, which renders the page the way Google Spiders do. The result is this:

Obviously, Google can grab the URL, execute the injected script, and generate a page with the injected link at the top. This is an external link from the bank’s domain name.

To further verify, Tom submitted the experimental URL to Google. The results showed that Google indexed the URL, and the snapshot showed that the link injected by the JS script also appeared on the page as normal:

Tom also discovered that XSS injection can also be used to add and modify tags in HTML, such as canonical tags, which can be quite dangerous. However, this and this post XSS injection link is not related, I will not go into detail.

Does XSS attack injected links have any effect?

Merely being able to index does not necessarily mean that the problem, if such as some spam links are ignored by Google, there is no link effect, it can not be used to manipulate external links. In order to verify whether the link on the URL has a link effect, Tom did a further experiment.

Tom uploads a link to a newly created page on Revolut that doesn’t exist before, submits Revolut’s URL, and soon Google grabs Tom’s new page on Revolut’s website, indexes it, and shows up in search results:

This means that the injected links are, at least, attractive to spiders. Does weight flow and ranking have the same effect as regular links? Tom was concerned about the possible impact on normal search results and did not experiment further.

Here have to say, many foreign SEO is very sentimentality. I think, if domestic SEO found this level of vulnerability, will report to the search engine to fill the vulnerability? He’ll probably use it to his own advantage until he dies.

What is the potential impact on search results?

If this way to inject the link has the effect of normal links, effective on the weight, ranking, so long as the black hat SEO use, to control the weight, ranking obviously has a lot of help, how much potential impact on the search results?

www.openbugbounty.org/ lists more than 125,000 sites with XSS vulnerabilities, including 260. Gov government sites, 971. Edu sites, and 195 of the top 500 most-linked sites. Imagine the potential impact.

Of course, Google is confident that their defense mechanisms should be able to identify this black hat method, and I suspect that Google’s internal investigation suggests that this method has not been exploited so far. However, that was before Tom released the information. What about now? I suspect a lot of people are already frantically experimenting with the validity of this method. I this post issued, there will certainly be domestic SEO to try. So how effective are Google’s prevention mechanisms in the case of massive abuse of this injection method?

On the other hand, Tom’s post will almost certainly force Google to take active steps to close this loophole before the XSS link injection attack becomes an effective SEO cheat. If you want to try it, do it fast. It won’t work.