-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhacked.html
59 lines (53 loc) · 2.33 KB
/
hacked.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="stylesheet" type="text/css" href="style.css" />
<title>Tabnapped</title>
</head>
<body>
<div id="page">
<div id="header">
<h1>Tabnapped</h1>
<h2>But not really!</h2>
</div>
<div class="contentTitle">
<h1>What just happend?</h1>
</div>
<div class="contentText">
<p>
The link posted on LinkedIn contains a website which uses the <i>target="_blank"</i> vulnerability.
<a href="https://github.com/Igoranze/igoranze.github.io/blob/master/index.html"><b>source code</b></a>
</p>
</div>
<div class="contentTitle">
<h1>How it works!</h1>
</div>
<div class="contentText">
<p>
People using <b>target='_blank'</b> links usually have no idea about this curious fact:
<i>The page we're linking to <i>gains partial access to the linking page</i> via the <b>window.opener</b> object.</i>
The newly opened tab can, say, change the <b>window.opener.location</b> to some phishing page. Users <i>trust</i> the page that is already opened, they won't get suspicious.
</br>
<i>window.opener.location = 'https://igoranze.github.io/hacked.html';Posible layout: …redirecting to a page that asks the user to re-enter LinkedIn password.</i>
</p>
</div>
<div class="contentTitle">
<h1>How to fix</h1>
</div>
<div class="contentText">
<p>
Add this to your outgoing links. <b>rel="noopener"</b> FF does not support <b>"noopener"</b> so add this.
<b>rel="noopener noreferrer"</b>
Remember, that every time you open a new window via <b>window.open();</b> you're also "vulnerable" to this, so always reset the "opener" property
<b>var newWnd = window.open(); newWnd.opener = null;</b>
<i>PS. Interestingly, Google <a href="https://sites.google.com/site/bughunteruniversity/nonvuln/phishing-with-window-opener" rel="nofollow"><i>doesn't seem to care</i></a>.</i>
</p>
</div>
</div>
<div id="footer">
<a href="http://www.bryantsmith.com">web page designer </a>
<a href="http://www.bryantsmith.com">bryant smith</a>
</div>
</body>
</html>