Professional Search Engine Optimization (Seo). Developer’s Guide to SEO

Ajax software Free javascripts
↑

Main Page

Attack Avoidance

Search engine marketers must be aware of several things in black hat SEO from a security perspective.

Some black hat search engine marketers exploit faulty or lax software to place links from your site to

theirs in order to increase their rankings. This can be either through a bulletin board post, a blog com-

ment, or a generally faulty script. Frequently, black hat techniques employ automated software to seek

and exploit such weaknesses.

A black hat marketer may also use some sort of signature in a web application to find many sites using

a search engine, such as a version number or tagline. Therefore, it is imperative that any web developer

understands this, because being exploited may be to your detriment in rankings, not to mention corpo-

rate image. It’s clear that nobody wants hundreds of links to spam sites on their forums or comments.

Security notwithstanding, the first step to protect your web site is to keep software that is not under

your auspices, that is, third-party software, up-to-date. For example, not too long ago, many blogging

applications did not apply the

rel=”nofollow”

attribute to links in comments — because it had not

been adopted yet! This weakness had been exploited extensively in the past by black hat SEOs.

One more recent exploit was the HTML insertion flaw in Movable Type, a very popular blogging appli-

cation, and the problem has been documented at

http://seoblackhat.com/2006/06/10/moveable-

type-backlink-exploit/

Such problems can be avoided by manually patching the software for vulnerabilities, but updating your

software frequently would certainly help, because they are usually corrected on your behalf eventually

anyway.

HTML Insertion Attacks

A programmer must escape

all

data processed by your web application’s code. Escaping means altering

the text and other data received from a non-trusted source, such as a comment added by a visitor on your

web site, so that it doesn’t cause any unwanted side effects when that data is further processed by your

application.

Input data validation and escaping is a common security issue, but most web developers are only accus-

tomed to it, these days, in the context of SQL. Most experienced web developers know that they must

escape or sanitize data sent to a SQL database. Otherwise, carefully constructed input can form a mali-

cious query that exposes and/or vandalizes data. Despite this, many programmers forget to escape SQL

input; and even more of them forget to do the same for HTML input.

Even the terminology reflects the apathy. You “escape” SQL with the

mysql_real_escape_string()

PHP

function, but you “convert special characters” using the

htmlspecialchars()

htmlentities()

PHP

functions. In addition, there are huge glaring comments about why you should escape SQL.

The

mysql_real_escape_string()

documentation says that

“This function must always (with few excep-

tions) be used to make data safe before sending a query to MySQL.”

But none of the documentation pages for the HTML escaping functions say anything along the lines of

“You must escape your user-generated HTML, otherwise people can use carefully crafted parameters

to tell the world you advocate and link to something terribly unethical.” Obviously, your site could also

177

Chapter 8: Black Hat SEO

c08.qxd:c08 10:59 177

Ajax software Free javascripts
→