Connect with us

SEO

Sites vulnerable to XSS can be used to phish Googlebot

Published

on

A WordPress safety plan for SEOs and developers


One common security vulnerability developers must take into account is the Cross-Site Scripting (XSS) problem. The XSS exploit can be mitigated or defended against by using sanitization procedures that test values of variables in GET and POST requests. Server-side attacks exist, as well, but are well beyond the scope here. Apparently, Googlebot and indexing currently suffers from this vulnerability.

Phishing Googlebot?

Although XSS attacks can be used to deface or sabotage websites, it’s also one method for phishing. An attacker crafts a malicious link and sends users an email with that link to a website vulnerable to the XSS exploit. When a user clicks the malicious link, a script runs when the page loads. Newer versions of Chrome have a XSS Auditor sanity check for urls that might otherwise fool users.

Unfortunately, Googlebot currently operates running Chrome 41, an earlier version of the browser that does not have the XSS Auditor. Does this mean Googlebot is vulnerable to phishing-style URLs where an attacker might inject a malicious SEO attack script? For Google, an attacker might use JavaScript to inject elements into the DOM such as backlinks, and worse, manipulate the canonical.

XSS Googlebot exploit

The proof of concept (PoC) for this attack was published by SEO (and Security Researcher) Tom Anthony depicting the success of the attack method, including evidentiary screenshots of Google Search Console’s URL Inspection Tool displaying a modified source code as a result of the payload. Keep in mind that running a malicious script in this way has the potential to entirely rewrite the page for indexing.

Tom describes having undertaken the proper steps of vulnerability disclosure, listing a timeline of his communications with Google, and characterizing the responses. At this stage, Tom’s disclosure is an iffy prospect because the vulnerability conceivably still works in the wild, despite Google having told him in March it has “security mechanisms in place” for it. Security researchers sometimes publish 0day (unpatched) vulnerabilities in order to prompt companies into action.

Google’s response

Tom noted that people see evidence Googlebot has a pending upgrade that would presumably include the XSS Auditor URL filter. Once Googlebot upgrades to a newer instance of Chrome with the XSS Auditor in place, this attack will no longer work. In the meantime, Google can conceivably index and publish malicious links in SERPs that unwitting users of Firefox (which doesn’t currently have a XSS Auditor of its own) could conceivably click and get phished.

We received the following statement from Google: “We appreciate the researcher bringing this issue to our attention. We have investigated and have found no evidence that this is being abused, and we continue to remain vigilant to protect our systems and make improvements.”

Exploits using XSS techniques are so widespread it’s conceivable that it’s happening somewhere. It’s simultaneously believable that no one other than the researcher has tried it.

How to protect against XSS attacks

To prevent the most common attacks, you need to make sure no malicious code (Javascript, PHP, SQL etc.) gets through to be processed by your application. Use built-in expectations of values such as an assurance that only the exact number and correctly named set of variables are present with every request. You should also encode data-type restrictions to test incoming values before proceeding.

For example, if your application is expecting a number then it should throw an exception, redirect, and maybe temporarily blacklist the IP address if it gets a string value as part of a bad request. The trouble is, there are a lot of fairly popular websites which are vulnerable to this sort of attack because they don’t take such steps. It’s fairly commonplace for attackers to pick at applications modifying request variable values to look for exploit opportunities.

One of Google’s proposals against XSS attacks takes the data-type sanity test as described above to the HTTP response header level with what it is calling: Trusted Types. Although it hasn’t yet been widely adopted Trusted Types may eventually serve as an important tactic for protecting your pages. That the vulnerability is not currently patched, however, is why it’s iffy to publish 0days. Google is vulnerable to this exploit.


About The Author

Detlef Johnson is Editor at Large for Third Door Media. He writes a column for Search Engine Land entitled “Technical SEO for Developers.” Detlef is one of the original group of pioneering webmasters who established the professional SEO field more than 20 years ago. Since then he has worked for major search engine technology providers, managed programming and marketing teams for Chicago Tribune, and consulted for numerous entities including Fortune 500 companies. Detlef has a strong understanding of Technical SEO and a passion for Web programming. As a noted technology moderator at our SMX conference series, Detlef will continue to promote SEO excellence combined with marketing-programmer features and webmaster tips.



Source link

Continue Reading
Click to comment

You must be logged in to post a comment Login

Leave a Reply

SEO

LinkedIn Users Can View All Sponsored Content From the Past 6 Months

Published

on


LinkedIn pages will soon feature an ‘Ads’ tab showing all sponsored content an advertiser has run in the past six months.

The company says this change is being made in an effort to bring even greater transparency to ads on LinkedIn.

“At LinkedIn, we are committed to providing a safe, trusted, and professional environment where members can connect with each other, engage with relevant content, and grow their careers. Increased transparency to both our customers and members is critical to creating this trusted environment.”

While viewing ads in the new tab, users can click on the ads but the advertiser will not be charged.

Ad clicks from within the ‘Ads’ tab will not impact campaign reporting either.

From a marketing perspective, I see this as being an opportunity for competitor research.

Do you know a company who is killing it with LinkedIn advertising? View their ads tab to see if you can learn from what they’re doing.

Of course, the Ads tab will only show you what their ads look like.

It won’t reveal anything about how those ads are targeted or what the company’s daily budget is. But hey, it’s something.

LinkedIn says this is the first of many updates to come as the company furthers its effort to provide users with useful information about the ads they see.

The new Ads tab is rolling out globally over the next few weeks





Source link

Continue Reading

SEO

SEMrush expands to Amazon with Sellerly for product page testing

Published

on


SEMrush is a popular competitive intelligence platform used by search marketers. The company, recently infused with $40 million in funding to expand beyond Google, Bing and Yahoo insights, has launched a new product called Sellerly specifically for Amazon sellers.

What is Sellerly? Announced Monday, Sellerly designed to give Amazon sellers the ability to split test product detail pages.

“By introducing Sellerly as a seller’s buddy in Amazon marketing, we hope to improve hundreds of existing Amazon sellers’ strategies,” said SEMrush Chief Strategy Officer Eugene Levin in a statement. “Sellerly split testing is only the first step here. We’ve already started to build a community around the new product, which is very important to us. We believe that by combining feedback from users with our leading technology and 10 years of SEO software experience, we will be able to build something truly exceptional for Amazon sellers.”

How does it work? Sellerly is currently free to use. Amazon sellers connect their Amazon accounts to the tool in order to manage their product pages. Sellers can make changes to product detail pages to test against the controls. Sellerly collects data in real time and sellers can then choose winners based on views and conversions.

Sellers can run an unlimited number of tests.

Why we should care. Optimized product detail pages on Amazon is a critical aspect of success on the platform. As Amazon continues to generate an increasing share of e-commerce sales for merchants big and small, and competition only increases, product page optimization becomes even more critical. Amazon does not support AB testing natively. Sellerly is not the first split test product for Amazon product pages to market. Splitly (paid), Listing Dojo (free) are two others that offer similar split testing services.


About The Author

Ginny Marvin is Third Door Media’s Editor-in-Chief, managing day-to-day editorial operations across all of our publications. Ginny writes about paid online marketing topics including paid search, paid social, display and retargeting for Search Engine Land, Marketing Land and MarTech Today. With more than 15 years of marketing experience, she has held both in-house and agency management positions. She can be found on Twitter as @ginnymarvin.



Source link

Continue Reading

SEO

Google on Domain Penalties that Don’t Expire

Published

on


Google’s John Mueller was presented with a peculiar situation of a website with zero notifications of a manual action that cannot rank for it’s own brand name. Mueller analyzed the situation, thought it through, then appeared to reach the conclusion that maybe Google was keeping it from ranking.

This is a problem that has existed for a long time, from before Mueller worked at Google. It’s a penalty that’s associated with a domain that remains even if the domain is registered by a new buyer years later.

Description of the Problem

The site with a penalty has not received notices of a manual penalty.

That’s what makes it weird because, how can a site be penalized if it’s not penalized, right?

The site had an influx of natural links due to word of mouth popularity. Yet even with those links, the site cannot rank for it’s own name or a snippet of content from it’s home page.

Had those natural links or the content been a problem then Google would have notified the site owner.  So the problem is not with the links or the content.

Nevertheless, the site owner disavowed old inbound links from before he purchased the site but the site still did not rank.

Here is how the site owner described the problem:

“We bought the domain three years ago to have a brand called Girlfriend Collective, it’s a clothing company on the Shopify platform.

We haven’t had any… warnings from our webmaster tools that says we have any penalizations… So I was just wondering if there was any other underlying issues that you would know outside of that…

The domain is girlfriend.com and the query would be Girlfriend Collective.

It’s been as high as the second page of the SERPs, but… we get quite a few search queries for our own branded terms… it will not show up.

My assumption was that before we bought it, it was a pretty spammy dating directory.”

John Mueller’s response was:

“I can double check to see from our side if there’s anything kind of sticking around there that you’d need to take care of…”

It appears as if Mueller is being circumspect in his answer and doesn’t wish to say that it might be a problem at Google. At this point, he’s still holding on to the possibility that there’s something wrong with the site. You can’t blame him because he probably gets this all the time, where someone thinks it’s Google but it’s really something wrong with the site.

Is There Something Wrong with the Domain Name?

I checked Archive.org to see what it’s history was. It was linking to adult sites prior to 2004 and sometime in mid 2004 the domain switched it’s monetization strategy away from linking to adult sites to displaying Google ads as a parked domain.

A parked domain is a domain that does not have a website on it. It just has ads. People used to type domain names into the address field and sites like Girlfriend.com would monetize the “type-in” traffic with Google AdSense, usually with a service that shows ads on the site owner’s behalf in exchange for a percentage of the earnings.

The fact that it was linking to adult sites could be a factor that has caused Google to more or less blacklist Girlfriend.com and keep it from ranking.

Domain Related Penalties Have Existed for a Long Time

This has happened many times over the years. It used to be standard to check the background of a domain before purchasing it.

I remember the case of a newbie SEO who couldn’t rank for his own brand name. Another SEO who was more competent contacted Google on his behalf and Google lifted the legacy domain penalty.

The Search Query

Mueller referred to the search queries the site owner wanted to rank for as being “generic” and commented that ranking for those kinds of “generic” terms is tricky.

This is what John Mueller said:

“In general, when it comes to kind of generic terms like that, that’s always a bit tricky. But it sounds like you’re not trying to rank for like just… girlfriend. “

However the phrase under discussion was the company name, Girlfriend Collective, which is not a generic phrase.

It could be argued that the domain name is not relevant for the brand name. So perhaps Mueller was referencing the generic nature of the domain name when he commented on ranking for “generic” phrases?

I don’t understand why “generic” phrases entered into this discussion. The site owner answered Mueller to reinforce that he’s not trying to rank for generic phrases, that he just wants to rank for his brand name.

The search phrase the site owner is failing to rank for is Girlfriend Collective. Girlfriend Collective is not a generic keyword phrase.

Is the Site Poorly Optimized?

When you visit the website itself, the word Collective does not exist in the visible content.

The word “collective” is nowhere on the page, not even in the footer copyright. The word is there, but it’s in an image, it has to be in text for Google to recognize it for the regular search results.

That’s a considerable oversight to omit your own brand name from the website’s home page.

Screenshot of Girlfriend.com's footer

  • The brand name exists in the title tag and other meta data.
  • It does not exist in the visible content where it really matters.
  • The word collective is not a part of the domain name.

A reasonable case could be made that girlfriend.com does not merit ranking for the brand name of Girlfriend Collective because the word collective only exists in the title tag of the home page, not on the page itself.

Google Does Not Even Rank it for Page Snippets

However that reasonable case falls apart upon closer scrutiny. If you take any content from the page and search with that snippet of content in Google, you’ll see that the domain name does not even rank for the content that is on it’s own page.

The site is fully indexed, but the content is not allowed to rank.

I searched for the following phrases but only found other pages and social media posts ranking in Google, not Girlfriend.com:

  • “Five classic colors made from recycled water bottles.”
  • “A bunch of old water bottles have never looked so good.”

That first phrase, “Five classic colors…” doesn’t rank anywhere on Google for the first several pages.

But as you can see below, Girlfriend.com ranks #6 in Bing:

Screenshot of Girlfriend.com ranking in Bing.Bing has no trouble ranking Girlfriend Collective for a snippet of text taken from the home page. Google does not show it at all. This points to this issue being something to do with Google and not with the site itself.

Even though Girlfriend.com appears to fall short in its search optimization, that is not the problem. The problem is that Google is preventing any content from that domain from ranking.

The reason Google is preventing that content from ranking is because the domain was problematic in the past. At some point in its history it was filtered from ranking. It’s a Legacy Google Penalty.

Checking the snapshot of girlfriend.com via Archive.org shows that it was being used to promote adult websites prior to 2004.

This is what it looked like sometime in 2004 and onward. It appears to be a parked domain that is showing Google AdSense ads.

Screenshot of Girlfriend.com from 2004This is a snapshot of Girlfriend.com circa 2004. It wasn’t a directory as the site owner believed. Checking the HTML source code reveals that the page is displaying Google AdSense ads. That’s what a parked domain looked like.

Parked domains used to be able to rank. But at some point after 2004 Google stopped ranking those pages.

There’s no way to speculate if the domain received it’s penalty before 2004 or after.

Site Can’t Rank for it’s Own Brand Name

There are many reasons why a site can’t rank for it’s own domain name or words from it’s own pages. If you suspect that your site may be suffering from a legacy Google penalty, you can verify the previous content by checking Archive.org.

Archive.org is a non-profit that stores snapshots of what web pages look like. Archive.org allows you to verify if your domain was previously used by someone else to host low quality content.

Unfortunately, Google does not provide a way to contact them to resolve this matter.

Bing Ranks Girlfriend.com for Girlfriend Collective

If there was a big problem with links or content on Girlfriend.com that was keeping it from ranking on Google, then it would very likely be apparent on Bing.

Bing and Google use different algorithms. But if there was something so massively wrong with Girlfriend Collective, whether site quality or a technical issue, there would be a high probability that the massive problem would keep it from ranking at Bing.

Bing has no problem ranking Girlfriend.com for it’s brand name:

Screenshot of Bing search results showing that it ranks Girlfriend.com in a normal mannerBing ranks Girlfriend.com in a normal manner. This may be proof that there is no major issue with the Girlfriend.com site itself. The problem may be at Google.

Google’s John Mueller Admits it Might be Google

After listening to how the site owner has spent three years waiting for the legacy domain penalty to drop off, three years of uploading disavows, three years of bidding on AdWords for it’s own brand name, John Mueller seemed to realize that the issue was not on the site owner’s side but on Google’s side.

This is what John Mueller offered:

“I need to take a look to see if there’s anything sticking around there because it does seem like the old domain was pretty problematic. So that… always makes it a little bit harder to turn it around into something reasonable.

But it feels like after a couple of years that should be possible. “

In the end, Mueller admitted that it might be something on Google’s side. However an issue that remains is that there is no solution for other publishers. This is not something a publisher can do on their own like a disavow. It’s something a Googler must be made aware of in order to fix.

Watch the Google Webmaster Hangout here

Screenshots by Author, Modified by Author





Source link

Continue Reading

Trending

Copyright © 2019 Plolu.