Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Some weird idea
Posted by: blad3
Date: December 25, 2006 12:37PM

By "mistake" I managed to reach The Anti-Google FAQ and I had this weird idea.
It would be possible to use an XSS vulnerability to ban this website from Google?
The idea is to prepare an URL that would inject HTML code that violates as many google rules as possible and then to submit this URL to Google.
The crawler would visit this URL and ...
This is the question, do you guy think that somehting like this would work?
Not that I want to do something like that, i'm a nice guy but this idea just popped up in my mind.

http://blog.outer-court.com/archive/2006-12-11-n75.html

Options: ReplyQuote
Re: Some weird idea
Posted by: Torstein
Date: December 25, 2006 04:14PM

I highly doubt Google executes the javascript it crawls. Good idea though.

Options: ReplyQuote
Re: Some weird idea
Posted by: Kyran
Date: December 25, 2006 04:50PM

Instead of injecting a script tag into the query, use an iframe. ;D

- Kyran

Options: ReplyQuote
Re: Some weird idea
Posted by: jungsonn
Date: December 25, 2006 06:02PM

Yes it allready happened, Google indexes such URL's you submit to crawl, RSnake has writen an article about this on his blog a while back. But the crawler does nothing, it is listed in search queries and a USER can execute it. Don't know if it stil works, but it's easy to try it out.



Edited 1 time(s). Last edit at 12/25/2006 06:03PM by jungsonn.

Options: ReplyQuote
Re: Some weird idea
Posted by: blad3
Date: December 27, 2006 01:31PM

Yes, google does not execute javascript. I think it should.
Otherwise, you are not able to crawl much these days.

Anyway, google does not need to execute javascript for this attack to work.
I was talking about XSS but I was thinking more about HTML injection.
Basically you don't need javascript at all. You just need to inject bad HTML code into the page (e.g. a font tag causing white-on-white - as described in that link from the first post).

p.s.
Jungsonn, could you please give a link to this post from rsnake. I don't think I read it. thanks



Edited 1 time(s). Last edit at 12/27/2006 01:33PM by blad3.

Options: ReplyQuote
Re: Some weird idea
Posted by: jungsonn
Date: December 27, 2006 03:26PM

I though it was this one;
http://ha.ckers.org/blog/20060928/google-indexes-xss/

Options: ReplyQuote
Re: Some weird idea
Posted by: rsnake
Date: December 28, 2006 10:10AM

Yup, and you aren't the first person to come up with this, actually. Googlebowling can take a number of forms. Not the least of which is injecting the ToS issue directly into the site, and have Google index that. You could also potentially tell Google's to go look at something that forwards them to the non-persistent XSS. At this point all of this is conjecture, but I don't see why it wouldn't be possible.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.