[WEB SECURITY] URL Spoofing vulnerabilities in browsers and search engines

MustLive mustlive at websecurity.com.ua
Mon May 4 19:33:06 EDT 2009


In continue to my article about URL Spoofing vulnerabilities in browsers and
search engines
I'll tell you about new interesting attack on search engines.

As you already know from my three previous advisories, search engines can be
used for URL Spoofing attacks and this attack can be also used for SEO
purposes. And now I tell you about new attack on search engines, which I
called search engine obstruction.

This search engine obstruction attack - SEO attack for short :-) - can be
made against any search engine which spiders support %20 or other
url-encoded chars, as I described in my first two advisories about URL
Spoofing vulnerability in bots of search engines.

The idea of attack is the next.

Give some amount of URLs to spider of search engine, which will not be
working in browsers, but will be indexed by search engine. These URLs must
contain %20 or other url-encoded chars. Then user will come to this search
engine (which was SEO attacked) and enter some query, in serp user will
click on some link (which will be containing %20 for example) and it'll not
work - will not open in the browser. The user will click on some other links
(or one incorrect link will be enough for him - it's depending of the
human), and if he will find the same behavior (links will not work), than
he'll go to another search engine.

I found this kind of attack when at 29.04.2009 I was researching URL
Spoofing vulnerability in Yahoo (I wrote example of URL Spoofed site indexed
by Yahoo in second advisory).

Here is an example of dork which shows you a lot of such sites in Yahoo:


7 from 10 sites on first page of serp (index by Yahoo! Slurp) will not open
in any browser - not in new browsers which not support %20, nor in old
browsers Mozilla and IE6 (and new IE7 and IE8) which support %20.

Search engine obstruction attack can be used to obstruct search engines'
indexes and to influence on their reputations. For example such attacks can
be done by competitors. Just imagine: links in serp are not working in
Yahoo, then users go to the Google, and vice versa, and if links are not
working in both Yahoo and Google, than users will go to Microsoft's Live
Search ;-). Every search engine vendor can use this attack for their
benefit. So this attack can be dangerous for every search engine.

Best wishes & regards,
Administrator of Websecurity web site

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list