神刀安全网

Don’t Use target=_blank, Security Risk

About rel=noopener

0m6 you’ve been h4ck3d!!1one!shift!!!1 :hankey:

About rel=noopener

What problems does it solve?

You’re currently viewing index.html .

Imagine the following is user-generated content on your website:

Click me!!1 (same-origin)

Clicking the above link opens malicious.html in a new tab (using target=_blank ). By itself, that’s not very exciting.

However, the malicious.html document in this new tab has a window.opener which points to the window of the HTML document you’re viewing right now, i.e. index.html .

This means that once the user clicks the link, malicious.html has full control over this document’s window object!

Note that this also works when index.html and malicious.html are on different origins — window.opener.location is accessible across origins! (Things like window.opener.document are subject to CORS though.) Here’s an example with a cross-origin link:

Click me!!1 (cross-origin)

In this proof of concept, malicious.html replaces the tab containing index.html with index.html#hax , which displays a hidden message. This is a relatively harmless example, but instead it could’ve redirected to a phishing page, designed to look like the real index.html , asking for login credentials. The user likely wouldn’t notice this, because the focus is on the malicious page in the new window while the redirect happens in the background. This attack could be made even more subtle by adding a delay before redirecting to the phishing page in the background (see tab nabbing ).

TL;DR If window.opener is set, a page can trigger a navigation in the opener regardless of security origin.

Recommendations

To prevent pages from abusing window.opener , use rel=noopener . This ensures window.opener is null in Chrome 49 and Opera 36.

Click me!!1 (now with rel=noopener )

For older browsers, you could use rel=noreferrer which also disables the Referer HTTP header, or the following JavaScript work-around which potentially triggers the popup blocker:

var otherWindow = window.open(); otherWindow.opener = null; otherWindow.location = url;

Don’t use target=_blank , especially for links in user-generated content , unless you have a good reason to .

Bug tickets to follow

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Don’t Use target=_blank, Security Risk

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮