The “target” attribute of anchor tag in HTML converts a website into a phishing platform if the website allows its users to post links.
We all use the anchor tag in HTML for providing a hyperlink in our hypertext document. But using this attribute with value ” _blank” in a particular way may make your website a great target for attackers.
The case becomes worse if your website is vulnerable to XSS.
Why?
Because when you open a new tab by reference from an existing tab, your browser allows this new tab to communicate with the referrer tab by using window.opener API.
How Does It Work:
imagine you have coded a webpage which has hyperlinks and you have used the target attribute with value _blank in this way:
href="http//:www.yourwebsite.com/a_link" target="_blank"
And the link which is being referred here allows the users to put links on this page in some way. For example, Facebook allows you to put a link to your website on your website’s Facebook page.
Then a user may place a link to his/her website which has some malicious script on it like:
window.opener.location('http:fakewebsite.com/fakepage');
When the link is opened in new tab, this malicious code changes the link loaded in the referrer tab. The attacker may place a fake page asking for login, and ultimately collect your credentials.
Can I prevent this from happening?
Of course you can. By placing this code in your anchor tag, you can prevent your page from being used as a phishing surface.
rel="noopener"
If you are lazy enough to risk your security, I suggest a one time solution. Download thisfrom github and include this file as a script source in your next document.
If you want to read further, I would advise you to follow the text on this page.
And finally,if you have any further queries, feel free to ask in the comments.
Comments
Post a Comment