Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Ways to improve page rank, or deceptively get more users to your websites or away from your competition. Where you can discuss SEO (search engine optimization) issues as it relates to computer security. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
HTML Injection via user-agent
Posted by: Ian
Date: September 29, 2006 01:01PM

I came upon something interesting lately, namely people trying to inject HTML into our website via the user-agent HTTP header.

The HTML mostly consists of links to Viagra, porn, and other random websites, and so it looks like these sites are making an attempt at SEO, but why the user-agent header? Is there something that I'm missing that makes this a valid SEO technique?

I don't know much about SEO, but it just doesn't seem like injecting links into user-agent headers would be effective at all.

So what do you guys think, is this just amateurish SEO, an effective technique that I don't understand, or something completely different?

Options: ReplyQuote
Re: HTML Injection via user-agent
Posted by: rsnake
Date: September 29, 2006 03:00PM

Yes, there is a valid reason... some people actually post their logs online. The search engines pick it up and it stays persistant until they clean their logs (which may be never).

I've used similar techniques (but XSS) by modifying the user agent to pop an alert box where it showed up to alert administrators of the issue. Unfortunately I stumbled upon an SQL injection issue once (the quotes I guess) and it actually brought the server down (oops!). After that I stayed clear of injecting XSS via user agents.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTML Injection via user-agent
Posted by: alf
Date: November 17, 2006 12:31PM

rsnake Wrote:
-------------------------------------------------------
> Unfortunately I stumbled upon an SQL injection
> issue once (the quotes I guess) and it actually
> brought the server down (oops!). After that I
> stayed clear of injecting XSS via user agents.

LMAO, the same thing happend to me @ the beginning of this year, the page of a big airport, lil' alfie found the XSS, played around with it, and whoops! the server was down for about 5 minutes. i was scared as hell ;)

Options: ReplyQuote
Re: HTML Injection via user-agent
Posted by: maluc
Date: November 17, 2006 01:23PM

well sometimes it's just an IPS refusing your requests for a while.. which is a pain. But it's meant to be a pain ^^

-maluc

Options: ReplyQuote
Re: HTML Injection via user-agent
Posted by: rsnake
Date: November 18, 2006 11:18PM

I don't think it was an IPS... First this was a few years back when XSS wasn't really as big a deal as it is now. Secondly I could still get to the site but none of the dynamic pages were rendering anymore. I guess theoretically it could have been a bizzare implementation of an application firewall but I doubt it. I think it was just a really crappy implementation of some custom script that wasn't expecting those characters in the user agent. Oops.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTML Injection via user-agent
Posted by: maluc
Date: November 18, 2006 11:50PM

i should've specified.. but i was referring to alf's downtime of 5minutes. The easiest test against an IPS though would be to just try it through a proxy like proxydrop.com and see if it's still functional.

and yes, there's a good chance something like that was from a runaway script.. oops indeed ^^

-maluc

Options: ReplyQuote
Re: HTML Injection via user-agent
Posted by: kishord
Date: December 06, 2006 01:01AM

@ Ian,

Here is an example of user-agents etc. going into logs history
http://springenwerk.org/usage/usage_200611.html

Options: ReplyQuote
Re: HTML Injection via user-agent
Posted by: alf
Date: February 01, 2007 02:08PM

btw I had xss in my useragent for some time aswell,

and suddenly i was banned from all the governmental homepages... I removed the Useragent and set it to default and it worked again ;-)

So I think my javascript alert has scared a sysop like hell :P (while reading the logs in his cms)

Options: ReplyQuote


Sorry, only registered users may post in this forum.