In a phishing attack the attacker will try to steal user data, e.g. login credentials. Reverse tabnabbing is a phishing method, and here we will try to explain what it is and how it can be prevented.
2 min read
·
By Robert Larsen
·
December 12, 2019
Websites often refer to pages on other websites. Such links are some times opened in a new tab. If we add the target="_blank"
to an a
-element in HTML, the link will open in a new tab. We can also achieve the same by using Javascript. The page we link to might be either safe or unsafe. We cannot know since we have no control of it.
A linked page opened with target="_blank"
or by window.open()
in Javascript, the linked page will have access to the same window.opener
-property as the linking page. Thus, the linked page can set the property window.opener.location
to anything it wants. That opens a set of possibilities, and we can imagine the following attack scenario:
target="_blank"
.window.opener.location = <url to fake login page>
.There are two quite easy fixes to prevent this kind of attack.
rel="noopener noreferrer"
to every a
-element that has target
set to "_blank"
. noopener
ensures that the linked page does not have access to window.opener
from the linking page. noreferrer
make sure that the request referrer header is not being sent. Thus, the destination site will not see the URL the user came from. According to caniuse.com, the support for noreferrer and noopener is good in recent versions of major browsers. Be aware that Internet Explorer is the usual exception.var myNewWindow = window.open(url, name, 'noopener,noreferrer')
\ myNewWindow.opener = null
If you are showing user-generated content on your page you must sanitize the input and apply "noopener noreferrer" to every link.
We hope that you have this in mind when you develop your websites. Please refer to the links below if you want to know more.
Loading…
Loading…