This Familiar HTML Attribute Has Given Birth To A New Way Of Phishing
The “target” attribute of anchor tag in HTML converts a website into a phishing platform if the website allows its users to post links.
We all use the anchor tag in HTML for providing a hyperlink in our hypertext document. But using this attribute with value ” _blank” in a particular way may make your website a great target for attackers.
The case becomes worse if your website is vulnerable to XSS.
Because when you open a new tab by reference from an existing tab, your browser allows this new tab to communicate with the referrer tab by using window.opener API.
How Does It Work:
imagine you have coded a webpage which has hyperlinks and you have used the target attribute with value _blank in this way:
And the link which is being referred here allows the users to put links on this page in some way. For example, Facebook allows you to put a link to your website on your website’s Facebook page.
Then a user may place a link to his/her website which has some malicious script on it like:
When the link is opened in new tab, this malicious code changes the link loaded in the referrer tab. The attacker may place a fake page asking for login, and ultimately collect your credentials.
Can I prevent this from happening?
Of course you can. By placing this code in your anchor tag, you can prevent your page from being used as a phishing surface.
If you are lazy enough to risk your security, I suggest a one time solution. Download this from github and include this file as a script source in your next document.
If you want to read further, I would advise you to follow the text on this page.
And finally,if you have any further queries, feel free to ask in the comments.
The author Abhishek Awasthi
Continuous improvement is better than delayed perfection