What is Reverse Tabnabbing Vulnerability? - ZOFixer Penetration Testing Tool

Reverse tabnabbing is a type of attack in which a page linked from the target website can rewrite that page, for example, to replace it with a phishing site. Because the user was previously on the proper website, he or she is less likely to detect that it has been moved to a phishing site, especially if the site seems identical to the target. If the user authenticates on this new page, their credentials (or other sensitive data) are transferred to the phishing site instead of the original one.

In addition to the target site having the ability to overwrite the target page, any http link may be faked to overwrite the target page if the user is on an unsecured network, such as a public wifi hotspot. Even if the target site is only accessible through https, the attacker can still carry out the attack by spoofing the http site that is being linked to.

The attack is usually achievable when the source site utilizes a target instruction in an html link to indicate a target loading location that does not change the current destination and then leaves the current window/tab open without implementing any of the protective steps listed below.

The attack is also feasible for links opened with the javascript method “window.open.”

Vulnerable page:

<html>
 <body>
  <li><a href="bad.example.com" target="_blank">Vulnerable target using html link to open the new page</a></li>
  <button onclick="window.open('https://bad.example.com')">Vulnerable target using javascript to open the new page</button>
 </body>
</html>

Malicious Site that is linked to:

<html>
 <body>
  <script>
   if (window.opener) {
      window.opener.location = "https://phish.example.com";
   }
  </script>
 </body>
</html>

When a user clicks on the Vulnerable Target link/button, the Malicious Site (as predicted) is launched in a new tab, but the target site in the old tab is substituted by the phishing site.

The HTML5 Cheat Sheet includes prevention information.

ZOFixer.com security scan helps to find this vulnerability in your web application, you can easily use it by registering on our website and activating the 30-day trial.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Related Posts

Leave a Comment Cancel Reply