The HTML <a> element, also known as anchor element is used within webpages to create an hyperlink to another resource. The anchor tag can also be specified with several attributes, one of them being the target attribute. An example can be seen below. Usage of certain attributes can often introduce vulnerabilities in a web application.
Example Link:
The target attribute specifies the context in where the linked resource will open when the it is clicked by a user. The target attribute supports many values such as _blank, _parent and _top. The most interesting of these values is the “_blank” value. If the target attribute is used with the “_blank” value, the resource used as link will open in a new tab, or a new window in older browsers.
However, it was discovered a while back that a link opened via target blank attribute can make changes to the original page, essentially bypassing same origin policy restrictions. An example of this are as follows.
Clicking the above link will take you to a webpage with the following JavaScript code:
1
2
3
<script>
window.opener.location = 'https://media.makeameme.org/created/hacked.jpg';
</script>
In the above code, the window.opener.location property is used to redirect a user from the initial clicked webpage to an attacker controlled webpage. This could be leveraged to conduct phishing attacks on the initial webpage since the window.opener object has access to the page from where the user clicked the link. However, it should be noted that it is not possible to execute JavaScript on the initial page since the window.opener object only has partial access (TLDR: you can only control the location attribute of the window object so only redirection is possible).
To make detection of this vulnerability easier, I wrote a Burp Plugin which can be found here: https://github.com/snoopysecurity/Noopener-Burp-Extension
The following article also shows a real-world example of this vulnerability: https://dev.to/ben/the-targetblank-vulnerability-by-example
To prevent pages from abusing this vulnerability, the “noopener” and “noreferrer” attribute can be used. An example of this is shown below:
1
<a href="http://snoopysecurity.github.io" target="_blank" rel="noopener noreferrer">Click Me</a>
For older browsers, The “noreferrer” attribute will need to be used since certain browsers such as Firefox doesn’t support the “noopener” attribute.
References:
- https://mathiasbynens.github.io/rel-noopener/