Paid Advertising
web application security lab

SEO redirects continued

Jaimie Sirovich just posted an ammendment to my post about SEO redirection on his blog.  His post expounds on my crappy SEO redirection explanation by adding in the loggin script, making it more customizable and in general less lame.  His is better, check it out.  I think this really is a huge problem that will stay around for quite a while.  I started finding these in Google a while back, and then they came fast and furious.

Ultimately, this technique should replaced by XSS injection rather than redirection because XSS will no doubt prove a better link quality.  Jaime emailed me and asked a very poignant question:

I would assume that a URL with a dynamic parameter string that is
linked only externally would be devalued. Not that I’m a blackhat, or
that I know this stuff from a BH angle, but does this actually work?
I’m way too white ….

Well the answer is, it probably doesn’t devalue it currently, not that that won’t change soon enough.  In the case of a simple 301 redirect the answer is correct, ultimately this should be devalued by Google and all other search engines as a form of weight. In the case of injection of a META tag or other forms of redirection, the possibilities for it being indexed are relatively high if it is crosslinked.

Eventually, this will be a bigger problem as automated XSS injection becomes more prevalent.  I’ll probably write something about “super worms” soon that will explain why this could have way bigger implications than simple redirects, but I also wanted to get something out soon, because I had been promising this script for a while to Quadzilla and a few other folks.

Comments are closed.