[Owasp-leaders] Link target = _blank vulnerability

psiinon psiinon at gmail.com
Tue Feb 20 12:24:55 UTC 2018


Thanks Sam :)

First attempt here: https://www.owasp.org/index.php/Reverse_Tabnabbing

All - feel free to email me with comments and suggestions, or just update
the wiki page yourselves...

Cheers,

Simon

On Wed, Feb 14, 2018 at 4:26 PM, Sam Stepanyan <sam.stepanyan at owasp.org>
wrote:

> Hi Simon,
>
> This vulnerability is one of these that Google don't seem to care about -
> see this article:
>
> https://sites.google.com/site/bughunteruniversity/nonvuln/
> phishing-with-window-opener
>
> So, for the taxonomy -  the attack is called "reverse tabnabbing"  - feel
> free to create and author an OWASP Wiki page. I have found quite a lot of
> reference material by doing a search on Google.
>
> Regards,
>
> Sam
>
> --
>
> Sam Stepanyan
> OWASP London Chapter Leadersam.stepanyan at owasp.orghttps://www.owasp.org/index.php/London
> Follow OWASP London Chapter on Twitter: @owasplondon
> "Like" us on Facebook: https://www.facebook.com/OWASPLondon
>
> Consider giving back and supporting the open community by becoming an OWASP member today!
>
> On 13/02/2018 18:10, psiinon wrote:
>
> Leaders,
>
> We've just added a ZAP passive scan rule for detecting unsafe links which
> use a target of '_blank' and dont use either 'noopener' or 'noreferer' in
> the 'rel' attribute.
> I was somewhat disappointed not to find an OWASP wiki page that we could
> refer to.
> I think we should have something for it on the wiki, maybe a 'Link target
> _blank' 'Attack <https://www.owasp.org/index.php/Category:Attack>' page?
> I'm happy to write the first version (if no one else would rather do it)
> but taxonomy has never been one of my strengths ;)
> Thoughts?
>
> Cheers,
>
> Simon
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180220/c9c322d5/attachment.html>


More information about the OWASP-Leaders mailing list