1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HTML injection

Discussion in 'Black Hat SEO' started by sherone, Aug 1, 2009.

  1. sherone

    sherone Newbie

    Joined:
    Jul 13, 2009
    Messages:
    28
    Likes Received:
    0
    Guys,

    What is this HTML injection. One guy saying he can put our link in the PR6 and PR7 .gov and .mil sites through html injection.

    is it possible??
     
  2. trushafty38

    trushafty38 Regular Member

    Joined:
    Jul 24, 2009
    Messages:
    208
    Likes Received:
    99
    Occupation:
    I have many Hats, Including a black one.
    Location:
    My rep is ruined! lol
    I think godaddy uses html injection for putting the ads on their free hosted website (only works with asp 2+ for their servers). So im assuming that HTML injection is server side script that puts in html code for them. If he has access to the servers he could implement this possibly. But government sites? yikes idk about that. Maybe if you are out of the country (us)
     
  3. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    Sounds like a XSS to me... I know that there are some stupidly simple html injections that have been going around for few years now. At the same time, I know that there are many incompetent government agencies that do a piss-poor job of upkeeping their websites..

    But injecting a mil site with your backlink? That's pretty damn blackhat. Just because you can, doesn't mean you should...
     
  4. FarmTeam

    FarmTeam Junior Member

    Joined:
    Jun 27, 2009
    Messages:
    139
    Likes Received:
    79
    haha, html injection.
     
  5. PinguSpy

    PinguSpy Jr. VIP Jr. VIP

    Joined:
    Dec 7, 2007
    Messages:
    1,045
    Likes Received:
    935
    Occupation:
    Internet Farmer
    Location:
    Pineal Gland
    Home Page:
    hack3r?

    how about SQL injection haha
     
  6. oxonbeef

    oxonbeef BANNED BANNED

    Joined:
    Jan 4, 2009
    Messages:
    2,242
    Likes Received:
    7,872
    Lol you really want to putting your links in .gov and .mil sites Don't you?
    * = your arse before you tried that shit. 0 = your arse by the time you get out
    of the pen.
     
  7. ruler0fall

    ruler0fall Power Member

    Joined:
    May 17, 2009
    Messages:
    565
    Likes Received:
    263
    Replace * by .
     
  8. prozium

    prozium Newbie

    Joined:
    Mar 31, 2009
    Messages:
    48
    Likes Received:
    12
    Well is the xss/css trick still working with google? No1 will tell you something,, because you cross scripted their site. But is google going to follow the xss link?
     
  9. blackmagicmaster

    blackmagicmaster BANNED BANNED

    Joined:
    Dec 11, 2008
    Messages:
    587
    Likes Received:
    932
    XSS or html injections are client side attack they wont chage any data one real website !!
     
  10. orangejuice

    orangejuice Registered Member

    Joined:
    Jul 25, 2009
    Messages:
    54
    Likes Received:
    16
    Yes, if it's badly written.

    They probably mean something like if they asked for your name, and you input:

    Code:
    " /> <a href="..">text</a>
    Then it would say Welcome with a hyperlink to your site.

    Note: the example is made up, but demonstrates the idea.
     
  11. jimbobo2779

    jimbobo2779 Jr. VIP Jr. VIP Premium Member

    Joined:
    Sep 17, 2008
    Messages:
    3,239
    Likes Received:
    2,394
    Occupation:
    Software Engineer
    Location:
    UK
    Home Page:
    Just to clear a couple of misconceptions about the technique the guy is talking about.

    This is not SQL injection, that involves using carefully crafted web addresses (or more specifically GET or POST variables) to interact somehow with an otherwise protected database.

    This guy is purportedly using the XSS injection technique that involves a similar method ( using GET and POST variables but to insert some HTML onto the target website(s).

    This is actually a lot mor illegal than you would think and if they come after you could result in hacking charges. Do you wanna be prosecuted for hacking military websites? I know I wouldn't lol
     
  12. prozium

    prozium Newbie

    Joined:
    Mar 31, 2009
    Messages:
    48
    Likes Received:
    12
    Well I'm not talking about sql injection or html injection of any kind - that's said it wont stick on their site or their data bases, but if the search engine of the website is not properly checked for html tags and special characters you can make your link stick for google to follow the xss link and count it as a backlink. Now the big question here is : Is this trick still working?
    And i really don't think that this is really blackhat, cause there isn't any permanent damage what so ever and you don't harm the website at all - well you can point out that they didn't code it very well.
    If you do that to .gov sites - well maybe that's a different story, but still no harm done and it would be embracing for the webmasters to say that some 18year old xssed their website ...
     
  13. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,468
    Likes Received:
    10,147
    It is not working, i have tested in the past.
     
  14. jimbobo2779

    jimbobo2779 Jr. VIP Jr. VIP Premium Member

    Joined:
    Sep 17, 2008
    Messages:
    3,239
    Likes Received:
    2,394
    Occupation:
    Software Engineer
    Location:
    UK
    Home Page:
    You and I would think that there is no harm done but if you are in an EU country or US / Canada or pretty much any country with a recent set of laws pertaining to anything digital you are classed as not spamming but hacking.

    We may agree that there is no harm done but that is pretty much irrelevant I think in the eyes of the law. I have done it in the past and received no ill effects from it but it didn't really do a huge amount for my rankings either. In my opinion it could still work, don't expect huge gains from it though and if Jonny Law comes a knocking don't say I didn't warn you :p
     
  15. jimbobo2779

    jimbobo2779 Jr. VIP Jr. VIP Premium Member

    Joined:
    Sep 17, 2008
    Messages:
    3,239
    Likes Received:
    2,394
    Occupation:
    Software Engineer
    Location:
    UK
    Home Page:
    Oh also for anyone interested in trying this don't forget that you will normally have to drive some link juice or ping the page that you are injecting otherwise the SEs will be unaware the link is even there. The link is no good if it doesn't get noticed (indexed)
     
  16. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,468
    Likes Received:
    10,147
    Besides, an injected page by GET method has 0 Pr...
     
  17. Maxell

    Maxell Regular Member

    Joined:
    May 10, 2007
    Messages:
    456
    Likes Received:
    563
    well its an old news, people used to find some bugs and post their links from usually GET something like this

    http://blahblah.edu/search?id=YOURSITE.com

    and then it was giving a message like

    your YOURSITE.com does not appear in the search result..

    and people were considering this as backlink, what they did was then posting those links in their signatures, google pick that URL and considers it as backlink.. but people used to do such stuff in 2005-6 not sure if someone is doing atm..
     
  18. rudyvise

    rudyvise Jr. VIP Jr. VIP

    Joined:
    Jul 6, 2008
    Messages:
    358
    Likes Received:
    169
    Occupation:
    Corporate Copywriter
    Location:
    England
    Be my guessed.

    Gary Mckinnon.

    lol
     
    • Thanks Thanks x 1
  19. prozium

    prozium Newbie

    Joined:
    Mar 31, 2009
    Messages:
    48
    Likes Received:
    12
    Well a pr0 from .edu or .gov is still something right?

    And about the cross site scripting in EU this isn't hacking - i mean if you type by mistake "><script>alet(1);</script> and hit the search button is this hacking? It's not recorded on the database and it's not permanent, it's just mischecked html tags and that's not your fault. If you make it stick on the database and do some harm directly to the website, you may get in trouble ( i'm talking for not-.gov sites here).
     
  20. jimbobo2779

    jimbobo2779 Jr. VIP Jr. VIP Premium Member

    Joined:
    Sep 17, 2008
    Messages:
    3,239
    Likes Received:
    2,394
    Occupation:
    Software Engineer
    Location:
    UK
    Home Page:
    I think what jazzc meant was that it passes 0 link juice as google is all over this trick and has been for some time.

    Also I know that there is no physical / permanent harm done to the site but intentionally making use of a sites security, or lack there of, such as XSS / HTML injection is actually hacking a segment of their site with the intention to gain a link which could be said to reduce that sites own ranking by leaking link juice.

    I realise that scenario is a bit of a stretch but the term for this is not SEO, its not black hat or white hat anything it is hacking. Pretty sure that is how the bobbies would see it.