This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Reverse Tabnapping"

From OWASP
Jump to: navigation, search
(first version of this page)
 
(Blanked the page)
 
Line 1: Line 1:
{{Template:Attack}}
 
  
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
 
==Description==
 
 
Reverse tabnapping is an attack where a page linked from the target page is able to rewrite that page, for example to replace it with a phishing site. As the user was originally on the correct page they are less likely to notice that it has been changed to a phishing site, especially it the site looks the same as the target. If the user authenticates to this new page then their credentials (or other sensitive data) are sent to the phishing site rather than the legitimate one.
 
 
As well as the target site being able to overwrite the target page, any http link can be spoofed to overwrite the target page if the user is on an unsecured network, for example a public wifi hotspot. The attack is possible even if the target site is only available via https as the attacker only needs to spoof the http site that is being linked to.
 
 
The attack is typically only possible when the target site uses a "_blank" target attribute in the link and does not include any of the preventative measures detailed below.
 
 
==Examples==
 
 
Vulnerable page:
 
 
<pre>
 
<html><body>
 
<li><a href = "bad.example.com" target="_blank">vulnerable target</a>
 
</body></html>
 
</pre>
 
 
Malicious site that is linked to:
 
 
<pre>
 
<html><body>
 
<script>
 
if (window.opener) {
 
  window.opener.location = "https://phish.example.com";
 
}
 
</script>
 
</body>
 
</pre>
 
When a user clicks on the ‘vulnerable target’ then the 'malicious' site is opened in a new tab (as expected) but the target site in the original tab is replaced by the phishing site.
 
 
==Prevention==
 
 
Any of the following options will prevent reverse tabnabbing:
 
* Do not use target="_blank" in a link
 
* Add the link attribute rel="noopener", rel="noreferrer" or rel="noopener noreferrer"
 
 
==References==
 
 
* https://dev.to/ben/the-targetblank-vulnerability-by-example - The target="_blank" vulnerability by example
 
* https://mathiasbynens.github.io/rel-noopener/ - About rel=noopener
 
* https://medium.com/@jitbit/target-blank-the-most-underestimated-vulnerability-ever-96e328301f4c - Target="_blank" — the most underestimated vulnerability ever
 
 
 
__NOTOC__
 
 
[[Category:Attack]]
 

Latest revision as of 12:19, 20 February 2018