From a026ad0727f08166505ece9628d341b2b889f65d Mon Sep 17 00:00:00 2001 From: Max Boll Date: Tue, 20 Oct 2020 11:17:01 +0200 Subject: [PATCH 1/5] tabnabbing.md added --- Tabnabbing/Tabnabbing.md | 43 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 Tabnabbing/Tabnabbing.md diff --git a/Tabnabbing/Tabnabbing.md b/Tabnabbing/Tabnabbing.md new file mode 100644 index 0000000..8a2adc2 --- /dev/null +++ b/Tabnabbing/Tabnabbing.md @@ -0,0 +1,43 @@ +# Tabnabbing + +> Reverse tabnabbing is an attack where a page linked from the target page is able to rewrite that page, for example to replace it with a phishing site. As the user was originally on the correct page they are less likely to notice that it has been changed to a phishing site, especially it the site looks the same as the target. If the user authenticates to this new page then their credentials (or other sensitive data) are sent to the phishing site rather than the legitimate one. + +## Summary + +* [Tools](#tools) +* [Something](#something) + * [Subentry 1](#sub1) + * [Subentry 2](#sub2) +* [References](#references) + +## Tools + +- [Discover Reverse Tabnabbing - Burp Extention](https://example.com) + +## More information about the vulnerability: + +When tabnabbing, the attacker searches for links that are inserted into the website and are under his control. Such links may be contained in a forum post, for example. Once he has found this kind of functionality, it checks that the link's `rel` attribute does not contain the value `noopener` and the target attribute contains the value `_blank`. If this is the case, the website is vulnerable to tabnabbing. + +## How to exploit: +``` +1. Attacker posts a link to a website under his control that contains the following JS code: window.opener.location = "http://evil.com" +2. He tricks the victim into visiting the link, which is opened in the browser in a new tab. +3. At the same time the JS code is executed and the background tab is redirected to the website evil.com, which is most likely a phishing website. +4. If the victim opens the background tab again and doesn't look at the address bar, it may happen that he thinks he is logged out, because a login page appears, for example. +5. The victim tries to log on again and the attacker receives the credentials +``` + +## How to hunt for it: + +As already mentioned, you have to search for the following link formats: + +```html + +or + +``` + +## References + +- [Reverse Tabnabbing - OWASP, 20.10.20](https://owasp.org/www-community/attacks/Reverse_Tabnabbing) +- [Tabnabbing - Wikipedia, 20.10.20](https://en.wikipedia.org/wiki/Tabnabbing) \ No newline at end of file From 3671248485a593beebd02e2efc3159efbe205111 Mon Sep 17 00:00:00 2001 From: Max Boll Date: Tue, 20 Oct 2020 11:20:56 +0200 Subject: [PATCH 2/5] typing errors fixed --- Tabnabbing/Tabnabbing.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Tabnabbing/Tabnabbing.md b/Tabnabbing/Tabnabbing.md index 8a2adc2..8f6d848 100644 --- a/Tabnabbing/Tabnabbing.md +++ b/Tabnabbing/Tabnabbing.md @@ -5,20 +5,20 @@ ## Summary * [Tools](#tools) -* [Something](#something) - * [Subentry 1](#sub1) - * [Subentry 2](#sub2) +* [More information about the vulnerability](#More information about the vulnerability) +* [How to exploit](#How to exploit) +* [How to hunt for it](#How to hunt for it) * [References](#references) ## Tools - [Discover Reverse Tabnabbing - Burp Extention](https://example.com) -## More information about the vulnerability: +## More information about the vulnerability When tabnabbing, the attacker searches for links that are inserted into the website and are under his control. Such links may be contained in a forum post, for example. Once he has found this kind of functionality, it checks that the link's `rel` attribute does not contain the value `noopener` and the target attribute contains the value `_blank`. If this is the case, the website is vulnerable to tabnabbing. -## How to exploit: +## How to exploit ``` 1. Attacker posts a link to a website under his control that contains the following JS code: window.opener.location = "http://evil.com" 2. He tricks the victim into visiting the link, which is opened in the browser in a new tab. @@ -27,14 +27,14 @@ When tabnabbing, the attacker searches for links that are inserted into the webs 5. The victim tries to log on again and the attacker receives the credentials ``` -## How to hunt for it: +## How to hunt for it As already mentioned, you have to search for the following link formats: ```html or - + ``` ## References From fae1f339e2a870103ef7064e7a79adce1fd65ac3 Mon Sep 17 00:00:00 2001 From: Max Boll Date: Tue, 20 Oct 2020 11:22:25 +0200 Subject: [PATCH 3/5] typos fixed --- Tabnabbing/Tabnabbing.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Tabnabbing/Tabnabbing.md b/Tabnabbing/Tabnabbing.md index 8f6d848..4479220 100644 --- a/Tabnabbing/Tabnabbing.md +++ b/Tabnabbing/Tabnabbing.md @@ -5,9 +5,9 @@ ## Summary * [Tools](#tools) -* [More information about the vulnerability](#More information about the vulnerability) -* [How to exploit](#How to exploit) -* [How to hunt for it](#How to hunt for it) +* [More information about the vulnerability](#More-information-about-the-vulnerability) +* [How to exploit](#How-to-exploit) +* [How to hunt for it](#How-to-hunt-for-it) * [References](#references) ## Tools @@ -40,4 +40,4 @@ or ## References - [Reverse Tabnabbing - OWASP, 20.10.20](https://owasp.org/www-community/attacks/Reverse_Tabnabbing) -- [Tabnabbing - Wikipedia, 20.10.20](https://en.wikipedia.org/wiki/Tabnabbing) \ No newline at end of file +- [Tabnabbing - Wikipedia, 20.10.20](https://en.wikipedia.org/wiki/Tabnabbing) From 33ab643c0d5d44805e73a9388aed906b03cb640f Mon Sep 17 00:00:00 2001 From: Max Boll Date: Tue, 20 Oct 2020 11:24:39 +0200 Subject: [PATCH 4/5] Rename Tabnabbing.md to README.md --- Tabnabbing/{Tabnabbing.md => README.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Tabnabbing/{Tabnabbing.md => README.md} (100%) diff --git a/Tabnabbing/Tabnabbing.md b/Tabnabbing/README.md similarity index 100% rename from Tabnabbing/Tabnabbing.md rename to Tabnabbing/README.md From 0f125243abea98611966977961f3b9d833042123 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 20 Oct 2020 11:34:02 +0200 Subject: [PATCH 5/5] Update README.md --- Tabnabbing/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tabnabbing/README.md b/Tabnabbing/README.md index 4479220..3c10db4 100644 --- a/Tabnabbing/README.md +++ b/Tabnabbing/README.md @@ -12,7 +12,7 @@ ## Tools -- [Discover Reverse Tabnabbing - Burp Extention](https://example.com) +- [Discover Reverse Tabnabbing - Burp Extension](https://portswigger.net/bappstore/80eb8fd46bf847b4b17861482c2f2a30) ## More information about the vulnerability