Dangerous target = "_ blank"
Most create external links through target = "_ blank" and do not know of one interesting nuance - the page that we will get in this way will receive partial control over the page referring to it through the js window.opener property.
Through window.opener.location we can redirect to, for example, a phishing page. This is a kind of tabnabbing, only more advanced. Since the victim least expects the substitution of the page, in the previously opened trusted tab of the browser.
The problem is far from new, but still relevant, and as I see, not many people know about it.
The problem also exists in facebook.
')
For example - open the post , click on the link. We look what happened to the tab on which we opened this post.
Hid the publication in the FB due to complaints about the need to restore access to the account after clicking on the link ( proof ). You can try to put the hidden publication on the sli.su/kitten.html page or see how it works on the browser
On the sli.su/kitten.html page there is such code:
It creates a redirect from a previously trusted page. This is because no one informed the browser that the page being opened should not have access to the parent tab. At the time of publication, it works without problems in chrome 50, firefox 45, opera 36.
So many sites sin, and some even do not consider this a problem "on their side" sites.google.com/site/bughunteruniversity/nonvuln/phishing-with-window-opener
Solutions to the problem:
1. Add to links:
It can also be
2. Open all external links through your own intermediate page, on which the code should work:
3. Open links in a new tab via js:
4. To catch all the clicks on the links and at the time of the transition to create a hidden iframe, through which to open the page in a new tab. github.com/danielstjules/blankshield - js plugin that, according to the description, solves the problem (not personally tested).
PS: Rel = "noopener" does not work in FF - habrahabr.ru/post/282880/#comment_8879594 . Instead, you can use rel = noreferrer.
PPS: For anyone who considers the article https: //medium.com/@jitbit/target-blank-the-most-under the original article ... - compare the publication date. My article was published on the 3rd of May. English - 4th.
Through window.opener.location we can redirect to, for example, a phishing page. This is a kind of tabnabbing, only more advanced. Since the victim least expects the substitution of the page, in the previously opened trusted tab of the browser.
The problem is far from new, but still relevant, and as I see, not many people know about it.
')
Hid the publication in the FB due to complaints about the need to restore access to the account after clicking on the link ( proof ). You can try to put the hidden publication on the sli.su/kitten.html page or see how it works on the browser
On the sli.su/kitten.html page there is such code:
window.opener.location = 'https://sli.su/facebook.com/auth.html'; It creates a redirect from a previously trusted page. This is because no one informed the browser that the page being opened should not have access to the parent tab. At the time of publication, it works without problems in chrome 50, firefox 45, opera 36.
So many sites sin, and some even do not consider this a problem "on their side" sites.google.com/site/bughunteruniversity/nonvuln/phishing-with-window-opener
Solutions to the problem:
1. Add to links:
rel="noopener" It can also be
rel="nofollow noopener" 2. Open all external links through your own intermediate page, on which the code should work:
window.opener = null; 3. Open links in a new tab via js:
var otherWindow = window.open(); otherWindow.opener = null; otherWindow.location = targetUrl; 4. To catch all the clicks on the links and at the time of the transition to create a hidden iframe, through which to open the page in a new tab. github.com/danielstjules/blankshield - js plugin that, according to the description, solves the problem (not personally tested).
PS: Rel = "noopener" does not work in FF - habrahabr.ru/post/282880/#comment_8879594 . Instead, you can use rel = noreferrer.
PPS: For anyone who considers the article https: //medium.com/@jitbit/target-blank-the-most-under the original article ... - compare the publication date. My article was published on the 3rd of May. English - 4th.
Source: https://habr.com/ru/post/282880/
All Articles