Search engine marketers must be aware of several things in black hat SEO from a security perspective.
Some black hat search engine marketers exploit faulty or lax software to place links from your site to
theirs in order to increase their rankings. This can be either through a bulletin board post, a blog com-
ment, or a generally faulty script. Frequently, black hat techniques employ automated software to seek
and exploit such weaknesses.
A black hat marketer may also use some sort of signature in a web application to find many sites using
a search engine, such as a version number or tagline. Therefore, it is imperative that any web developer
understands this, because being exploited may be to your detriment in rankings, not to mention corpo-
rate image. It’s clear that nobody wants hundreds of links to spam sites on their forums or comments.
Security notwithstanding, the first step to protect your web site is to keep software that is not under
your auspices, that is, third-party software, up-to-date. For example, not too long ago, many blogging
applications did not apply the
attribute to links in comments — because it had not
been adopted yet! This weakness had been exploited extensively in the past by black hat SEOs.
One more recent exploit was the HTML insertion flaw in Movable Type, a very popular blogging appli-
cation, and the problem has been documented at
Such problems can be avoided by manually patching the software for vulnerabilities, but updating your
software frequently would certainly help, because they are usually corrected on your behalf eventually
HTML Insertion Attacks
A programmer must escape
data processed by your web application’s code. Escaping means altering
the text and other data received from a non-trusted source, such as a comment added by a visitor on your
web site, so that it doesn’t cause any unwanted side effects when that data is further processed by your
Input data validation and escaping is a common security issue, but most web developers are only accus-
tomed to it, these days, in the context of SQL. Most experienced web developers know that they must
escape or sanitize data sent to a SQL database. Otherwise, carefully constructed input can form a mali-
cious query that exposes and/or vandalizes data. Despite this, many programmers forget to escape SQL
input; and even more of them forget to do the same for HTML input.
Even the terminology reflects the apathy. You “escape” SQL with the
function, but you “convert special characters” using the
functions. In addition, there are huge glaring comments about why you should escape SQL.
documentation says that
“This function must always (with few excep-
tions) be used to make data safe before sending a query to MySQL.”
But none of the documentation pages for the HTML escaping functions say anything along the lines of
“You must escape your user-generated HTML, otherwise people can use carefully crafted parameters
to tell the world you advocate and link to something terribly unethical.” Obviously, your site could also
Chapter 8: Black Hat SEO
c08.qxd:c08 10:59 177