Slightly Shady SEO | Blackhat is Back, Baby.

Ok. So this entry is going to be a challenge. If I get too specific, then these links are going to become worthless. Too broad, and you all aren’t getting your 2 minutes worth of quality. But either way, what I’m going to discuss here are “not quite cross site scripting” attacks. Shoving your own data into certain fields that will create a backlink. I don’t know the legality of this, for the sake of argument let’s say I’ve never done it. Oh yes, and I don’t know what these should really be called, so I’ll call them “gutter links”.

This is a very blackhat entry, although I dare say that a large percentage of blackhats already know about them. They’re frequent fliers in the “buy viagra” search engine results.

If you don’t like me talking about this, realize that the Viagra blackhats and such already know this, and use it. So protect your arse instead of complaining at me. Also, everyone should know that I have NO IDEA how legal/illegal this is, so these results were gotten for research purposes only, and I will not pay your legal bills if it turns out it’s illegal.

How to Do It
Your goal is to find fields that are in the URL, and are not cleaned properly. So like www.isuckatcoding.com/?contact=Barry+Williams, Barry Williams may be what we substitute our own data in for. This will become clear later, but basically we’re relying on the coder being lazy and not pulling from a database, but rather directly outputting the $_GET variable
Note: www.Isuckatcoding.com doesn’t really exist. It’s used for an example.

Just Because a Site Is Popular, doesn’t mean it’s not Vulnerable
For example, EarthLink decides that robots.txt’s are for suckers. They’ve had 4 of these issues in the past that I knew of, but some are still out there.
Hundreds of other popular sites though have these issues. We’re talking like top-tier internet too. PR7+, millions of users.
The 3 Simple Kinds of Substitutions Gutter Links

1. HTML In The Variable - Probably the worst kind.
   Use of complete HTML in the url. So we would use the encoded version of “<a href=http://www.google.com>I_SHOULD_NOT_BE_HERE</a>” www.isuchatcoding.com/
   ?contact=%3Ca+href%3Dhttp%3A%2F%2Fwww.google.com%3EI_SHOULD_NOT_BE_HERE%3C%2Fa%3E
   These links are more difficult than most to get indexed(in my experience) as they are obviously injections, and obviously not supposed to be there.
   Note that I don’t use quotes in the link. Those often serve as a flag for people, and will lead to a lower success rate.
   • How To Find Them
     Search for error documents. A lot of these output the wrong code on the header level, and get indexed. Ones that output a plaintext version of the not found page are the targets for this one.
     In addition, look for dates, departments, and contact names in the get variables. These are most likely to be automatically rendered off the variable.
2. URL in the Variable
   A likely one for this would be www.icantcode.com/redir.php?link=http://www.google.com
   As a security measure awhile ago people decided it would be AWESOME to show a page saying where you were going to be redirected before doing so, then using a metarefresh, or even better a Javascript redirect to actually do the redirect. All of these? Yup. Backlinks.
3. Cached Page Results
   A good example of this is one discovered by Richard Baxter in SEOMoz’s link analysis tool. In fact, this is one I see almost exclusively in various SEO related tools. I don’t feel like getting into these too much, so read there about it.

How to Get These Indexed
I personally am a fan of the “let’s see how many forums I can register for” method, but many exist. Some people even link to a bunch from one domain, and make it look like they themselves got hacked(yes, I got permission to repeat that). Some people referrer spam them as well.

How to Make These Count
No internal links to a page can greatly diminishes how much power it can pass to your links. So how to get around this? Some parts are inevitably hard to get around. You’re probably not going to get the full impact from any of these domains like a homepage link would get. But try using this trick multiple times to link to it’s own internal page. That at least throws off some of the basic checks and makes it a bit harder to spot using solely technical tricks. But some of these are awesome, and on the error page or whatever will actually try and show alternative pages that end up linking back to the original.
In addition, if you’re really sneaky you can sometimes get a forum post linking in to the page. But if it’s seen, chances are the glitch will be fixed. Once again, a real backlink from the parent domain will always carry a lot more weight than one gotten by these tricks, but they still count for something, and are fun to try and find.

In Closing I’m Just Going to Repeat a Few Points

1. I don’t know the legality of these.
2. I don’t think you should use them, and I don’t.
3. Don’t complain about this post to me, just protect yourself or do whatever you want with them.
4. I know full well I left a common technique out of here. It was a conscious decision.

-XMCP

PS: If you didn’t get Rick Rolled on April 1st, or would like to relive the experience, take this opportunity to get Rick Rolled by Earthlink!

Posted on Thursday, April 3rd, 2008 at 1:44 pm in the category:Exploits, Grow Some Balls, backlinks. Comment RSS 2.0 feed. Comment it , or trackback this post.