Archive for the ‘XSS Cross Site Scripting’ Category

Google Appliance making Sites XSS Vulnerable

Rsnake at hackers is reporting:

maluc has discovered that if you keep [Google Sarch Appliance] on your domain your whole domain is at risk of information leakage, session theft, etc…. The hole uses the selected encoding issue I’ve been talking about, but instead of using the US-ASCII encoding issue, he used the UTF-7 hole. Fantastic! He also disclosed a number of vulnerable websites including Stanford, the Food and Drug Administration and the National Institute of Standards and Technology.

It’s an XSS in most sites that uses the google search API with it’s generic results template. The api allows any encoding method to be used for output, and doesn’t sanitize until after the page has been converted.

Google.com uses the same API but it’s unaffected because it santizes in UTF8 before converting to the output encoding. It will be interesting to see how quickly this can be patched.

Google Creating a Platform for Malicious Hacker Worms?

AJAX has built in security features to prevent cross domain requests. This creates a problem for enthusiastic web developers that want to create certain robust web applications (like mashups). The solution? Hack up AJAX to do what you want by removing those annoying security features.

That’s the rout that many gung-ho web developers have gone . . . including Google.

But hold on a second! Weren’t those security features built in for a reason? Like for, umm, security or something?

This issues is tackled in Gnucitizen’s article, Google Search API Worms:

Google, one of the biggest AJAX evangelist today, provides JavaScript APIs to allow developers to mashup their services with Google’s enormous capabilities. As a result Google unconsciously enables various types of worms to craw and exploit the web.

Web worms can use Google’s infrastructure to propagate. If a malicious mind finds a vulnerability in WordPress for example and this vulnerability allows SQL Injection, a worm may be written to craw blogs in search for this vulnerability and embed itself into everything that is vulnerable. Once a user visits an infected blog the worm starts another cycle.

Another worm might be able to craw random sites and run generic Cross-site Scripting and SQL Injection checks and send the results to their master who will use them to release more advance worms.

It hasn’t happened yet but it appears to be vulnerability according to Gnucitizen. One worm we covered on seoblackhat was the sammy myspace worm.

Also, I like the Icon that Gnucitizen uses for Google; “The Google Grid” shot is taken from the famous Googlezon video. Good stuff!

The Most Cutting Edge SEO Exploits No One is Publishing

You know that the best SEO Black Hats are doing something more than scraping, using a site generator, comment spamming, and pinging to be raking in more than $100k per month.

But what is it?

Right now, there is way too much good stuff that I simply can’t publish on the SEO Black Hat blog. If I posted these tactics and exploits they would immediately get all the wrong kind of attention. The detailed conversations about how exactly to abuse search engine algorithms, generate massive traffic, and what other Black Hats are doing must remain underground to retain their effectiveness.

But what if I told you that you could discuss these exploits with me without paying my $500 an hour consulting fee? What if I told you there was a way to join in on the private, cutting edge discussions with some of the best Black Hats and web entrepreneurs in the world?

Would you be interested?

Because now you can . . .

Today is the official launch of the resource you’ve looked everywhere for but never found:

The Private SEO Black Hat Forum

Normally what you get on forums are people who don’t know anything talking with people who don’t want to say anything. You can occasionally find amazing tips on some forums: but you have to dig through 400 crappy posts just to find one post that is useful. That becomes a huge time sink.

How are the SEO Black Hat forums different?

Quality: We’re not going to have any contests to see who can make the most posts. That just creates tons of crap that no one wants to read. Our focus is on quality over quantity. Our primary concern is with succinctly answering one question: “What works?”

Sophisticated: Many of the topics we discuss are very advanced and require a high level of technical or business acumen to appreciate.

Expert Discussions: The SEO Black Hat forums are not for everyone and they may not be right for you. If you are relatively new to SEO or building websites, then do not join the SEO Black Hat Forums: you will be in way over your head. There are plenty of newbie forums out there for you – this is not one of them. Our forums are for successful web entrepreneurs to develop strategies that drive more traffic and generate more revenues.

Forum Membership Benefits

Access to Expert Advice and Discussions
We have both White Hat and Black Hat Experts that are already benefiting from new tool development, techniques, scripts and the sharing of ideas.
Some members you may already be familiar with include:

* CountZero from blackhat-seo.com (Black Hat)

* RSnake from ha.ckers.org (Web Security Expert)

* Dan Kramer from Kloakit (Cloaking Expert)

* Jaimie Sirovich from seoegghead.com (Token White Hat / SEO Geek)

There are several other members that you are certainly familiar with who are using handles for anonymity. We have others who are more focused on security, vulnerabilities, and coding. There are still more that you are likely unfamiliar with but are nevertheless web millionaires.

Databases – Large Datasets
If you want your sites to have massive amounts of unique content you need large data sets. The trading, discussion and posting of large data sets is going on right now on our forums.

Expired / Deleted Domain Tools
Want to use to use the same domain Tool that I used to get a Page Rank 6 site in the Gambling Space for just $8? This domain tool is available for members to use for free.

50% off on Kloakit – The Professional Cloaking Software

Scripts – Several useful scripts have already been posted – interesting thing you may not have thought of before are being discussed and developed.

Exploits and Case Studies: The really good stuff I can’t talk about on the SEO Blackhat Blog is being discussed on the SEO Black Hat Forums. Right now, some of the conversations include beating captchas, domain kiting, data mining, hoax marketing, XSS vulnerabilities as they relate to SEO, and much more.

Pricing: $100 per month.

The price will soon be rising significantly as more databases, hosted tools, scripts and exploits are added. However, once you lock in a membership rate it will never go up and you will continue to have access to everything.

So, if you think you’re ready for the most intense Black Hat SEO discussions anywhere, then here’s what you need to do:

1. Register at the SEO Black Hat Forums.

2. Go to the User CP and select Paid Subscription.

I’ll see you on the inside!

Greasemonkey Script for XSS Link Building

In the spirt of putting more guns in the hands of children, we bring you more ways to create inbound links with cross site scipting.

Rsnake must have finished moving and unpacked his computers because he has created a Grease Monkey Detection Script for XSS (Cross Site Scripting).

Here’s the crappy redirect detection Greasemonkey script. I don’t recommend using it, because it sucks, but it was a good proof of concept.

Now granted a good chunk of these do not work, but that actually shouldn’t matter much. Without even testing, sending multiple possible attempts to Google, even if 80% of them fail, it’s not like you are giving anything up, you are sending valid links that probably have some custom error logic. It just looks like you are linking to a lot of custom error pages, potentially. So pruning the redirect attack list may or may not help.

SEO by spray and pray. Hat tip to v7n.

Moveable Type Backlink Exploit

Do you want free backlinks? Does the Pope shit in the woods?

Boogybonbon has found a way to exploit the preview comment form to create backlinks from Movable type blogs.

From the post, MovableType preview button good for back links:

As long as the blog is not a MovableType 3.2/3.x the blog will give a nice URL that you can publish into a ping list and get indexed for back links. This is because the MovableType 3.x uses JavaScript to convert tags into a preview comment field and as we all know search engines cant see that.

Needles to say it only took me about 15 minutes to find 6 blogs with PR 5-8 and process the forms over to GET then post the URL’s into a couple ping sites.

Here’s how it works:

The preview comment button on movable type blogs uses the POST method but search engines require the GET method to index a URL. So, what you need to do is:

1. Download the firefox extension webmaster tools to convert the POST forms to GET forms.

2. Find Movable type blogs.

3. Open The “preview Comment” in a new window.

4. Convert the POST Form to a GET Form like this:

How to Convert POST Forms to GET Forms

5. Fill out comment however you like.

6. Press preview comment.

7. Instead of producing a url like this:

http://www.baseballmusings.com/cgi-bin/mt/mt-comments-pinto.cgi

it will produce a URL like this (images used for formating purposes):

Example of the moveable type Backlink Exploit

The links on the produced pages are NOT nofollow.

8. Now, you may want to use a service like tinyurl or a redirect to hide what you are doing (not required)

9. Ping that URL to the Search Engines in splog posts, guestbooks, or however you think best.

Pretty freaking cool, huh?

I’d like to add a quick reminder that you need sign up for the SEO poker Tournament by tuesday and email me your pacific poker username and website URL.

quadszilla (at) seoblackhat.com

HTML Injection – Revisited

Thegooglecache.com has a write up on one way of googling for sites that have xss / html injection opportunities.

It also helps if you start adding things in the query like html tags in the url. So, for example….

inurl:”3C*3E” inurl:”font*font” -intext:3C -intext:font

or

inurl:”3C*3E” inurl:”strong*strong” -intext:3C -intext:strong

XSS – Cross Site Scripting flaw at Google

Via Slashdot, Web Security posted a message about a cross site scripting vulnerability at Google:

Two XSS vulnerabilities were identified in the Google.com website, which allow an attacker to impersonate legitimate members of Google’s services or to mount a phishing attack. Although Google uses common XSS countermeasures, a successful attack is possible, when using UTF-7 encoded payloads.

One of the links in the slashdot submission is described by Phosphor3k as:

Someone [who] is trying to get their Pagerank up by submitting the story with a name of “Security Test” and linking to their shoddy website. The site has only a few links, no content, and it says the page is for sale. Will slashdot ever get their shit together and stop posting submissions with blatant pagerank-whoring links like this?

We covered spam sites getting slashdotted earlier . . . so it must not be that difficult. If you have a compelling and timely story, you can often include a link to one of your sites and get it passed the mods if the destination page looks legitimate. To me, this is the ultimate in link dumping.

XSS (Cross Site Scripting) Cheatsheet, by RSnake

I found this very useful page for XSS (Cross Site Scripting). Many of you have asked for more specifics about how to force authority sites to link to your web sites.

The page, XSS (Cross Site Scripting) Cheatsheet: Esp: for filter evasion – by RSnake, covers hex encoding, IP Obfuscation, URL string evasion and more:

“This XSS still worries me, as it would be nearly impossible to stop this without blocking all active content:”

Fantastic work; thank you RSnake. If you ever want to write something on SEOblackhat.com, no need to hack it – you’re more than welcome to publish here any time you want.

XSS – Cross Site Scripting Attacks

Dynamic websites suffer from a threat that static websites don’t, called “Cross Site Scripting” (or XSS). Attackers canl inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application – often to gather information from users. Imagine yesterday’s example only more advanced and as part of a phishing scam – (fraud is not cool).

From osvdb.org

ATutor contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple variables upon submission to the search.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user’s browser within the trust relationship between the browser and the server, leading to a loss of integrity.

The XSS-Proxy website at sourceforge is a great starting point for getting a primer on XSS and for understangind cross site scripting attacks.

Create Inbound Links from Authority Sites with Exploit

This threadwatch discussion talks about a more advanced way of making authority sites link to you than simply trying to get the Rojo or Google results for your site indexed.

1. A series of pages are created on a domain say www.mylittlewebsite.com and the links point to a search request on one of these sites . .
2. Notice the formatting using HEX code when surrounded by a standard HREF tag this translates the link properly when the request is made to the authority websites POST for search – the result is properly translated into basic html. This is a clever coding exploit, this format ensures the request is properly formatted in basic HTML.
3. Obviously the request is a negative search result on the authority website, however particularly site searches will cache all results of local searches, successful or otherwise.
4. If these search results are spiderable content, then a robot such as Googlebot will view the cache results and see inbound links from a high profile authority site point to the domain in question.

Sometimes hex is not required. You just enter the tags the same as if you were coding html but into the search field of a site with the vulnerability. Other times, a hex converter can come in handy.

I have seen instances that include javascrips and other elements. The red cross search results (long URL) page is a PR 0, but I’ve found up to a PR 6 (someone on TW said they had a 7). I picked the Red Cross as an example to hopefully encourage donations.

All I had to do was dig around for a bit to come up with a healthly list. If any registered seoblackhat readers would like a few more examples, just drop a comment or e-mail me.

Update: Sites with HTML injection Vernerabilities are now available only to members of the SEO Black Hat Forum.