I came upon something interesting lately, namely people trying to inject HTML into our website via the user-agent HTTP header.

The HTML mostly consists of links to Viagra, porn, and other random websites, and so it looks like these sites are making an attempt at SEO, but why the user-agent header? Is there something that I'm missing that makes this a valid SEO technique?

I don't know much about SEO, but it just doesn't seem like injecting links into user-agent headers would be effective at all.

So what do you guys think, is this just amateurish SEO, an effective technique that I don't understand, or something completely different?

Yes, there is a valid reason... some people actually post their logs online. The search engines pick it up and it stays persistant until they clean their logs (which may be never).

I've used similar techniques (but XSS) by modifying the user agent to pop an alert box where it showed up to alert administrators of the issue. Unfortunately I stumbled upon an SQL injection issue once (the quotes I guess) and it actually brought the server down (oops!). After that I stayed clear of injecting XSS via user agents.

- RSnake
Gotta love it. http://ha.ckers.org

rsnake Wrote:
-------------------------------------------------------
> Unfortunately I stumbled upon an SQL injection
> issue once (the quotes I guess) and it actually
> brought the server down (oops!). After that I
> stayed clear of injecting XSS via user agents.

LMAO, the same thing happend to me @ the beginning of this year, the page of a big airport, lil' alfie found the XSS, played around with it, and whoops! the server was down for about 5 minutes. i was scared as hell ;)

well sometimes it's just an IPS refusing your requests for a while.. which is a pain. But it's meant to be a pain ^^

-maluc

I don't think it was an IPS... First this was a few years back when XSS wasn't really as big a deal as it is now. Secondly I could still get to the site but none of the dynamic pages were rendering anymore. I guess theoretically it could have been a bizzare implementation of an application firewall but I doubt it. I think it was just a really crappy implementation of some custom script that wasn't expecting those characters in the user agent. Oops.

- RSnake
Gotta love it. http://ha.ckers.org

i should've specified.. but i was referring to alf's downtime of 5minutes. The easiest test against an IPS though would be to just try it through a proxy like proxydrop.com and see if it's still functional.

and yes, there's a good chance something like that was from a runaway script.. oops indeed ^^

-maluc

@ Ian,

Here is an example of user-agents etc. going into logs history
http://springenwerk.org/usage/usage_200611.html

btw I had xss in my useragent for some time aswell,

and suddenly i was banned from all the governmental homepages... I removed the Useragent and set it to default and it worked again ;-)

So I think my javascript alert has scared a sysop like hell :P (while reading the logs in his cms)