Paid Advertising
web application security lab

Is XSS Good For SEO?

There’s an interesting post over at Venture Skills blog talking about if XSS is actually good for SEO purposes. While I don’t have any conclusive evidence that he is wrong or right (at least nothing that makes me satisfied by saying that is a correct or incorrect assessment), I will say I have seen evidence that blackhats definitely are using this and search engines definitely are indexing them.

I have also heard blackhat say that it works best when used as a “spice” within a mix of a lot of other normal links, rather then relying on them entirely. Again, I have no evidence that that is true or not, but I wouldn’t refute other people’s experience without evidence. One thing I think is important to mention is that XSS as it stands is NOT good for SEO, nor could it be. What blackhats use is HTML injection, not JavaScript injection. Also, it should be noted that XSS takes on three forms, only one of which is almost hopeless for a search engine to prevent and that is stored XSS. What I will say is it should be pretty easy for search engines to set up rules looking for commonly used reflected HTML injection techniques and devalue them.

6 Responses to “Is XSS Good For SEO?”

  1. Kyran Says:

    Until we can verify that a search spider will actually run Javascript, (, standard XSS which means having some sort of script running, won’t be much of a help for SEO. As you said, without the script, it’s just HTML injection.

    So, until you can confirm what a spider does with what it scrapes, SEO-XSS is pretty useless it seems.

  2. Jeremiah Blatz Says:

    Haha! “No, no I don’t want your session IDs. No, I don’t want to perform fraudulent actions on your behalf. I just need another inbound link or two. kthxbai”

  3. zeno Says:

    I tested blackhat SEO and reflective xss 3-4 years ago on a test domain and it does in fact work.

    - Yes it is blatent in the logs and easily traced back.
    - Yes if your site uses it, you can easily google for all the sites vuln that you used.
    - It depends on the strength of the page being xss’d. If in /index.php chance are it works better than /some/path/rarey/visited.php?xss

  4. jackthecoiner Says:

    Three forms of XSS? Stored, reflected… what’s the third?

  5. Jeremiah Grossman Says:

    By the book!

    AHAHAH, just kidding. DOM-Based XSS

  6. jackthecoiner Says:

    Got it. Cool, thanks for the link. Amit is *very* thorough, isn’t he? :-)