Jaimie Sirovich is at it again with his scanner. This time he aimed it at some .edu domains. The risks aren’t that high compared to the reward for the SEO community. For search engine optimization it’s really helpful to have .EDU domains. In this case, using cross site scripting is particularly useful for hijacking page rank via HTML injection.

One thing I think is interesting is how close XSS and SEO HTML injection really is. Really, the XSS cheat sheet is not designed for straight HTML injection. Primarily all you are interested for in SEO is how to either a) redirect or b) increase pagerank by getting sites that have good pagerank to link to you. Persistance is better than reflection but it appears anything will do. For all their similarities the major difference that JavaScript isn’t as important as links is a pretty substantial difference.

The fact that Harvard is full of XSS holes isn’t that interesting as practically everything is, but the fact that cross site scripting is being actively used by bad guys is. The SEO Blackhat forums has a number of real world examples of where SEO experts are using these exploits actively. If you can afford the $100 a month it’s worthwhile from an academic standpoint, or if you are trying to monetize your own traffic better.

This entry was posted on Thursday, September 21st, 2006 at 8:53 pm and is filed under XSS, Webappsec, SEO/SEM. Responses are currently closed, but you can trackback from your own site.