Cross Site Scripting Meets Search Engine Optimization

Posted April 2, 2008

Yesterday’s revelation that certain Google search results contain tainted URLs that simultaneously take consumers to their intended site, as well as redirect them to a second site for the purpose of installing malware, shows the bad guys continue to get creative. Read about it here in USA Today Cross site scripting, phishingPhishing: The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. and web-delivered malwareMalware: Software that is intended to damage or disable computers and computer systems. are not new threats, but the combination of these elements along with proven search engine optimization techniques poses a pretty lethal combination.

Hopefully, Google will take steps to protect its customers from these attacks. Web site operators can do their part, too. You can help protect your Web site from cross site scripting attacks by ensuring that your application performs validation of all headers, cookies, query strings, form fields and hidden fields.