I’ve had this post half written up for some time, and recently set aside some time to actually get it written.
Quite often during pentesting I have come across a web application that has functionality that allows users to set links in their profile, LinkedIn or Twitter for example. Sometimes these links are fully controllable, you can point them at any URL. If the link is controllable and the link has a target attribute of _blank, then an attack (dubbed “tab-nabbing”) can be performed.
What is _blank?
_blank is an option for the target attribute for HTML links. The target attribute allows the web developer to specify to the browser, where the link should open. In this case the _blank option opens the linked document in a new window or tab.
The security issue?
Tab-nabbing allows the newly opened tab to control the tab that opened it. An example attack would be, a user clicks on a link to visit your Twitter profile, it opens in a new tab, they close that tab and notice they have been “logged out” of the original application. They then enter their credentials to login, unknowingly the original tab has been redirected to a fake login page and they have just had their credentials stolen.
So when performing a pentest one could just look for user controllable target=”_blank” links right?
Well it turns out that even though this issue is a fairly low risk one at best (it requires specific circumstances, user interaction etc.) the developers at Google, Mozilla, and Apple decided it would be a good idea to mitigate this issue by default. Every link is now treated as rel="noopener” by default in Chrome, Firefox, and Safari.
So, now to get the same issue the web application would need to have a user controllable link with target=”_blank” and rel="opener" attributes set.
I’ve built a Burp Plugin to provide as a template for further development that looks for these attributes during testing. I’ll post it up on my website and GitHub and make it available for others (if you find it useful).
TL:DR
The _blank issue has been mostly mitigated by modern browsers, but my Burp Plugin template might be worth a look to find edge cases or develop other Burp Plugins.
Proof of Concept
https://cptwin.github.io/pocs/underscoreblank1.html
References
W3schools.com - HTML a target Attribute
https://www.w3schools.com/tags/att_a_target.asp
Chrome Platform Status: Feature: Anchor target=_blank implies rel=noopener by default
https://www.chromestatus.com/feature/6140064063029248
WebKit Bugzilla: Bug 155166: Implement rel=noopener
https://bugs.webkit.org/show_bug.cgi?id=155166
Bugzilla: Implement rel=noopener