[Owasp-leaders] Link target = _blank vulnerability

Sam Stepanyan sam.stepanyan at owasp.org
Wed Feb 14 16:26:12 UTC 2018


Hi Simon,

This vulnerability is one of these that Google don't seem to care about 
- see this article:

https://sites.google.com/site/bughunteruniversity/nonvuln/phishing-with-window-opener

So, for the taxonomy -  the attack is called "reverse tabnabbing"  - 
feel free to create and author an OWASP Wiki page. I have found quite a 
lot of reference material by doing a search on Google.

Regards,

Sam

-- 

Sam Stepanyan
OWASP London Chapter Leader
sam.stepanyan at owasp.org
https://www.owasp.org/index.php/London
Follow OWASP London Chapter on Twitter: @owasplondon
"Like" us on Facebook: https://www.facebook.com/OWASPLondon

Consider giving back and supporting the open community by becoming an OWASP member today!

On 13/02/2018 18:10, psiinon wrote:
> Leaders,
>
> We've just added a ZAP passive scan rule for detecting unsafe links 
> which use a target of '_blank' and dont use either 'noopener' or 
> 'noreferer' in the 'rel' attribute.
> I was somewhat disappointed not to find an OWASP wiki page that we 
> could refer to.
> I think we should have something for it on the wiki, maybe a 'Link 
> target _blank' 'Attack 
> <https://www.owasp.org/index.php/Category:Attack>' page?
> I'm happy to write the first version (if no one else would rather do 
> it) but taxonomy has never been one of my strengths ;)
> Thoughts?
>
> Cheers,
>
> Simon
>
> -- 
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180214/d1e12486/attachment.html>


More information about the OWASP-Leaders mailing list