Bill brings up some interesting points in the comment on this thread about the search engines blocking the pages that give the rank and/or links out from the XSS exploitable pages.
In some cases, I think this is possible. For instance, there’s one XSS exploit that I used for almost a year that gave me backlinks to my sites from search boxes on other sites. I’m sure it’s still useful in quantity but I have noticed that some of the search engines don’t like those particular links anymore. It might be because they’re blocking them, they don’t like the lengthy URLs or because there’s not much content on those pages.
Regardless of the reason, however, there are still a ton of wiki/tiki/blog/whatever with XSS exploits out there. Yes, yes, I know it’s all the rage to talk about XSS exploits right now. Bear with me.
One solution that people have come up with is for programmers to code better and to not have the holes in the first place.
I’ve been a programmer for over 15 years now and, unfortunately, in the entire time I’ve been coding, security issues are usually the LAST thing that people think about. It doesn’t affect the functionality of an application and thus is a money sink.
So, we can hope and pray that programmers of the thousands of applications out there that have XSS holes will write, test, debug their code so that it doesn’t have XSS exploits in them or we can hope for a more global solution like the Search Engines taking action in some way.
One way, as Bill suggests, would be for those pages to get banned. And the search engines have already done this if you link out to “bad” neighborhoods. This will have some effect but there are plenty of XSS exploits that are undetectable to the search engines that the spammers will use. They’ve got tools that aren’t too difficult to write that will go out there and find exploitable sites for them to spam later.
Another hope is that people will upgrade their software to fix the XSS exploits that have been fixed in a new version. Yeah, it’ll work for some people…but I can tell ya know, there will *always* be some that don’t/won’t/can’t upgrade – for whatever reason. And as long as that is the case, there will always be some XSS exploits around.
To put it bluntly, I really don’t see a good solution to any of this as of yet. There’s lots of finger pointing going on while the spammers happily continue to use the techniques talked about or even the new ones that are found every day…
G-Man
