Tom reported this vulnerability to Google last November, but so far Google has not solved the vulnerability. They say “Google’s existing protection mechanism should prevent this abuse, but the relevant team is checking the verification. “. In addition, Google mentioned some “internal communication difficulties” when responding to Tom. Does the company have such problems when it is big?
Since Google has not taken any action for five months, Tom decided to disclose the vulnerability. The webmasters are good at checking whether their website has XSS vulnerabilities and taking precautions to prevent their websites from being injected. Google agrees that Tom will release relevant information and it seems to be quite confident.
What is an XSS attack?
XSS attacks are short for Cross Site Scripting, the meaning of cross-site scripting attacks. It is said that the abbreviation of Cross Site Scripting should be CSS, but it is repeated with the CSS of the page style sheet, so the cross-site scripting attack changed to XSS.
XSS is a code injection attack. Most websites will have some function scripts that can modify the URL arbitrarily, such as search function, UGC user contribution content website submission function, script-oriented turn, and so on. For example, the search concept, the URL is often domain.com/search.php?keyword, or domain.com/?s=keyword (SEO’s daily search function is this URL format), where the keyword can be replaced by Any character.
So what happens when the keyword part is replaced by a script? For example, domain.com/?s=<script>alert(‘XSS’)</script>. A website with such a vulnerability is that when a malicious script is injected into a URL, no security filtering is performed, and the browser does not recognize that it is a malicious script, so a malicious script is executed.
XSS can be used to obtain sensitive user information, can be used to impersonate a user to make a request to the website, etc., can also execute scripts to insert content in the generated HTML code, which is a vulnerability that Black Hat SEO can use to inject links.
How to use XSS vulnerability to inject links into other websites
Modify the parameters in the URL, replace them with scripts, execute scripts in the browser, insert content in the HTML, so you can also insert links. Of course, if you just click on the user’s browser to display the link, the search engine does not grab the URL, the black hat SEO is not interested. The problem is that the Google spider can crawl the URL of the injected script, or execute JS, so you can see the injected link.
To prevent XSS attacks, the first is to do security filtering on the server side. The most basic is HTML escaping. Think of <script>alert(‘XSS’)</script> as the searched string instead of the script to be executed. . The second is XSS recognition on the browser side. Many browsers (such as Chrome) now see suspicious characters such as script in the URL, and will directly refuse to open the page.
If Google Spider recognizes XSS attacks like Google’s own Chrome browser, URLs with injection scripts don’t crawl at all, and there’s nothing. But according to Google’s official documentation, so far, Google spiders use the older version of Chrome 41, and Chrome 41 does not have XSS recognition. Therefore, a website with an XSS program vulnerability may be crawled by the Google spider to the URL of the injected link.
Tom did the experiment. A new bank (Revolut) website has an XSS vulnerability (Gosh, the bank website has an XSS vulnerability. But now it has been added), Tom has constructed a URL with an injection script on the Revolut domain, and the browser will be on the page after execution. Put a link at the top. How does Google Spider handle this URL? Tom verified it with Google’s page-friendly user-friendly testing tool, because the tool renders the page in the same way as Google Spider. The result is this:
Obviously, Google can crawl the URL and execute the injected script, and the generated page has the injected link at the top. This is an external link from the bank’s domain name.
To further verify, Tom submitted the experiment URL to Google. The results showed that Google indexed the URL, and the snapshot showed that the link injected through the JS script also appeared on the page:
Tom also found that through XSS injection, you can also add and modify tags in HTML, such as canonical tags, which is quite dangerous. However, this relationship with this post XSS injection link is not big, so I will not elaborate.
Is the link injected by the XSS attack effective?
Just indexing doesn’t necessarily indicate the problem. If it is ignored by Google like some spam links, there is no link effect, and it can’t be used to manipulate external links. In order to verify that the links on this URL have a link effect, Tom further experimented.
Tom injects a link to the URL of the Revolut domain, points to a page that was not previously created on the experimental site, just created, and submits the Revolut URL. Soon after, Google crawled the new page on Tom’s own experimental site, and the index This page appears in the search results:
This shows that the injected link, at least, can play a role in attracting spiders. Is there a similar effect on weight flow and ranking? Tom was concerned about the possible impact on normal search results without further experimentation.
I have to say here that many foreign SEOs are very sentimental. I am thinking, if domestic SEOs find this level of vulnerability, will it report to the search engine to fill the loophole? Probably will use this vulnerability for your own use, use it to death.
What is the potential impact on search results?
If the link injected in this way has the effect of normal link, and is effective for weights and rankings, as long as it is used by the black hat SEO, it is obviously helpful to control the weight and ranking, and how much potential impact on the search results?
The https://www.openbugbounty.org/ website lists more than 125,000 sites with XSS vulnerabilities, including 260.gov government sites, 971.edu domain sites, including the top 500 links to the most sites. Imagine 195, imagine how big the potential impact will be.
Of course, Google is very confident that their defense mechanism should be able to identify this black hat method. I suspect that Google’s internal investigation shows that this method has not been utilized so far. However, this is before Tom releases the information, now? I estimate that many people are already experimenting with the effectiveness of this method. I sent this post, and there will definitely be SEO in China. So, will Google’s prevention mechanism be effective if it is abused on a large scale?
On the other hand, it is almost certain that Tom’s post will be sent, which will force Google to take active measures to make up for this vulnerability. It is not an effective SEO cheat method to allow XSS attacks to inject links. If you want to try it, as soon as possible, it will be useless soon.