Paid Advertising
web application security lab

Google Indexes XSS

Today Ghozt on the XSS forums found a rather interesting link while searching google. He’s found proof that Google will in fact index XSS. The link that Ghozt found was actually not a working XSS exploit, but that’s irrelevant. In this case, if it had worked, Google would have indexed it and shown a working exploit. This is the first time I’ve seen 100% proof that Google will index cross site scripting attacks. Cool!

Click to enlarge

We all thought it probably was true, but until now I hadn’t seen any verifiable proof of such. Sure enough this was indexed from a blog post by Nitesh Dhanjani, here and here. So perhaps there is some ranking associated with the potential importance of such a link, and therefor Google will only index an XSS if it is coming from a trusted host (raising the importance of persistant XSS on trusted domains - like .edu TLDs as Jamie was talking about). Either way, it’s pretty exciting to see a theory turn into proof.

6 Responses to “Google Indexes XSS”

  1. Robert Says:

    I’ve experimented with using XSS for the purpose of SEO and sure enough crawlers will crawl any link you throw at them (not a surprise really they have no idea what a bad link looks like being there is no good link standard :)

    One of the disadvantages is that it is extremly easy to identify if a domain name is abusing using this method since every site linking to it is displayed including the xss’d domains.

    On a seperate note I have a years worth of data that I’m trying to figure out a way to release regarding which search engine crawlers I can use to relay attacks for me. Info is 2-3 years old so may not be as relevant/interesting anymore *shrug*.

  2. RSnake Says:

    I for one would be very interested in that data. What format is it in? Trending information is just as interesting as up to date current information to me.

  3. Robert Says:

    Actually the data is kind of pathetic, it’s in email format. :) Check this URL out and view page src and look at the bottom left hand corner to see what I’m doing.

    Again the data is years old but I have everything logged (a few thousand total hits I believe off of the top of my head)

    I believe I can identify the day I stopped making the public links, and how long each spider kept hitting the URL for afterwards but it will take some work.

  4. Cory Says:

    Is XSS not part of “all the world’s information?” ;)

  5. RSnake Says:

    Heh. Cory, if that were the case, then you’d bring back all the currently disabled Google dorks, no?

  6. reputation management: viagra spam on .edu Says:

    Hey Snake,

    Nice security/hacking/seo blog here. Just a quick line because I thought you might be interested in a post I wrote on the .edu hacking.