Redirect while opening links in new tabs

From Hackipedia
Jump to: navigation, search
Hackerone #23386
Target: Hackerone
Target Module:
Type: Open Redirect
Payload:
Original: Link
CVE:
Archive Screenshot

Hyperlinks that open a new tab to a 3rd party site maybe opening themselves to a vulnerability if given anchor tag attributes are met. Tabs opened with a target="_blank" or a new window with window.open(); leave a call back to the tab/window that opened the link via window.opener

The options available to window.opener are limited, but it is possible to redirect them. With a script as so:

<script>
window.opener.location.replace('http://www.evil.com/scam.php');
</script>

So when a user clicks back to the original window, they may have been redirected to a fake site that requires them to log in again.

This vulnerablity can be defeated by adding the attribute rel="noopener noreferrer" to new tab links, and setting new windows opener object to null via newWindow.opener = null;

How To Perform

  1. Check link creation (form fields, comments, article creation, etc) to see how new links are handled
  2. Create a test page of your own to link to, or use existing pages
    1. http://daniel-tomescu.com/hackerone/landpage.php
  3. Observe redirect behavior of original window.