- Issue created by @Aurélien.B
- 🇫🇷France Aurélien.B Bretagne
Hello guys,
Here is a patch that should fix this vulnerability.
Vulnerability issue was found and could be applied with an exploit to external links.
It is a computer exploit which persuades users to submit their login details and passwords. The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of browsers to navigate across a page's origin in inactive tabs a long time after the page is loaded. This attack will be done even if JavaScript is disabled, using the "meta refresh" meta element, an HTML attribute used for page redirection that causes a reload of a specified new page after a given time interval. The attack takes advantage of the trust of the victim and the ability of modern web pages to rewrite tabs and their contents for a long time after the page has been loaded.
Attackers will be able to inject malicious links using this exploit. And more, they will be able to inject malicious payloads into the links using target="blank" tab nabbing exploit. Attackers will be able to take over any user account by exploiting this vulnerability. Wherever target='blank" is placed with no rel tag. Attacker has the advantage to exploit this behavior on the ongoing links in an application. They will be able to take over any user account by targeting different clients of your application.
The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of browsers to navigate across a page's origin in inactive tabs a long time after the page is loaded.
- Account Takeover
- Malicious Server Execution
- Login Credentials Exposure
- Credentials Disclosure
- Phishing
Here is an example, what you are using now is seem similar like :
<html>
<body>
<li><a href="bad.example.com<https://fmrelay.fed.be/fmlurlsvc/?fewReq=:B:JV07MDQ1Oyd3PDMvMSdoZTwxMDsxMCdyaGZvYHV0c2Q8NmIxMWc3YjI0MjUyODU2ODY5ODkwYDQ4NTFgZTljYzE2ZzJkZGJgMSd1PDA3OTg4NTAxNjUncGhlPDI3TUI1MWdJMTM0NzI3LDI3TUI1MWdLMTM0NzI3J3NicXU8dmRjbGBydWRzQXFzZGxoZHMvZ2RlL2NkJ2I8NDMnaWVtPDE=&url=http%3a%2f%2fbad.example.com%2f>" target="_blank">Vulnerable target using html link to open the new page</a></li>
</body>
</html>Malicious Site that is linked to your page may take advantage of this vulnerability, if they use :
<html>
<body>
<script>
if (window.opener) {
window.opener.location = "https://phish.example.com<https://fmrelay.fed.be/fmlurlsvc/?fewReq=:B:JV07MDQ1Oyd3PDMvMSdoZTwxMDsxMCdyaGZvYHV0c2Q8NzYzYmBgZTAwMzc0NjE1NjNkYzU4NGI5N2U2YjNgYDI4YDIzN2U1Myd1PDA3OTg4NTAxNjUncGhlPDI3TUI1MWdJMTM0NzI3LDI3TUI1MWdLMTM0NzI3J3NicXU8dmRjbGBydWRzQXFzZGxoZHMvZ2RlL2NkJ2I8NDMnaWVtPDE=&url=https%3a%2f%2fphish.example.com%2f>";
}
</script>
</body>
</html>So impact is the link will open in new tab but parent tab(your web) will redirected to :
https://phish.example.com<https://fmrelay.fed.be/fmlurlsvc/?fewReq=:B:JV07MDQ1Oyd3PDMvMSdoZTwxMDsxMCdyaGZvYHV0c2Q8NzYzYmBgZTAwMzc0NjE1NjNkYzU4NGI5N2U2YjNgYDI4YDIzN2U1Myd1PDA3OTg4NTAxNjUncGhlPDI3TUI1MWdJMTM0NzI3LDI3TUI1MWdLMTM0NzI3J3NicXU8dmRjbGBydWRzQXFzZGxoZHMvZ2RlL2NkJ2I8NDMnaWVtPDE=&url=https%3a%2f%2fphish.example.com%2f>(or any link which is in place of https://phish.example.com<https://fmrelay.fed.be/fmlurlsvc/?fewReq=:B:JV07MDQ1Oyd3PDMvMSdoZTwxMDsxMCdyaGZvYHV0c2Q8NzYzYmBgZTAwMzc0NjE1NjNkYzU4NGI5N2U2YjNgYDI4YDIzN2U1Myd1PDA3OTg4NTAxNjUncGhlPDI3TUI1MWdJMTM0NzI3LDI3TUI1MWdLMTM0NzI3J3NicXU8dmRjbGBydWRzQXFzZGxoZHMvZ2RlL2NkJ2I8NDMnaWVtPDE=&url=https%3a%2f%2fphish.example.com%2f>)
Add rel="noopener, noreferer" to avoid this issue wherever target="blank" is placed.
Change attributes for external links.
Active
1.0
Code
Hello guys,
Here is a patch that should fix this vulnerability.