| Column | Details |
|---|---|
| Bug | Reverse Tab-Napping |
| Submitted on | 28 Aug 2020 |
| Fixed on | 29 Aug 2020 |
| Reward | A Bug Killer badge on my HackTheBox profile |
| Severity | Medium |
| My profile | https://www.hackthebox.eu/home/users/profile/84820 |
Brief :
This was an easy bug but you should never underestimate any bug no matters how impacful it is (excluding very low ones).
As you all know that there is a section in profile of a hackthebox user where walkthroughs are shown submitted by him/her , so in that section when you will click on any machine’s writeup submitted by the user you will be simply redirected to a new tab and to the writeup itself , But the main thing was the new tab was opening with target="_blank" (its a link opener attribute in html). So I was able to redirect the user to a new url (any phishing page or any malicious website) using the window.parent.location.replace() (js code).
Reverse Tab-napping is the bug which did exist in gitlab , facebook , instagram etc…
Bug Poc :
So lets get started how i find the bug and exploited it , here is the poc video
https://drive.google.com/file/d/1JlCESsW_gi7eN8qgP8zdGczdrs1NtDSA/view?usp=sharing
Identifying the bug
I submitted magic machine’s writeup on hackthebox and the team approved it , On the same time I was testing a platform from bugcorwd and i was testing for reverse tabnabbing there . I visit my hackthebox profile to check if walkthrough is approved or not and then I opened the writeup link and as obvious it redirected to new tab on my writeup page , then i also decided to test hackthebox for the tabnabbing
view-page source
I just tried to check the HTML of the page to view how they are opening the writeup in the new tab and I was surprised (bcz it was infront of everyone’s eyes) they were doing that like this
1
<a href="https://0xprashant.github.io/posts/htb-magic/" target="_blank" >Magic</a>
exploiting the bug
And they were using target="_blank" without omiting rel="noopener nofollow" and now i am 1000% sure that i can exploit it.
I added the following code to my markdown file (since i am using github pages) of magic machine writeup and push the changes to github
1
2
3
4
5
6
<html>
<script>
if (window.opener) window.opener.parent.location.replace('https://0xprashant.github.io/pages/index.html');
if (window.parent != window) window.parent.location.replace('https://0xprashant.github.io/pages/index.html');
</script>
</html>
What the code will do is it will check if there is a Windows-open then replace the parent windows with the url i specified
my https://0xprashant.github.io/pages/index.html has the following code , Its just a dummy page that can be a malicious page or phishing page
1
2
3
<html>
<h1>A fake htb page / any malicious site</h1>
</html>
now if i simply click on the magic writeup on my profile I will be redirected to the writeup page but the initial tab will be redireted to https://0xprashant.github.io/pages/index.html you can check the bug poc video here….
https://drive.google.com/file/d/1JlCESsW_gi7eN8qgP8zdGczdrs1NtDSA/view?usp=sharing
I am able to redirect the initial page to a new page
And i make a nice poc while my college's online classes were running lol , and i didn’t pay any attention to the class at all since i was busy at making a poc and then i reported to them and got the response after 1 day
Live bug testing
If you want to test the bug , you can simply click on the link below and the writeup page will be redirected
What i did is add the url with the following code in my markdown file
markdown
1
[https://0xprashant.github.io/posts/htb-magic/](https://0xprashant.github.io/posts/htb-magic/){:target="_blank"}
html
1
<a href="https://0xprashant.github.io/posts/htb-magic/" target="_blank" >https://0xprashant.github.io/posts/htb-magic/</a>
Why this bug happens ?
When you open a link in a new tab ( target=”_blank” ), the page that opens in a new tab can access the initial tab and change it’s location using the window.opener property. And since it can access the initial page so i am able to change the parent tab to another page
Some references –
- https://owasp.org/www-community/attacks/Reverse_Tabnabbing
- https://medium.com/@jitbit/target-blank-the-most-underestimated-vulnerability-ever-96e328301f4c
- https://mathiasbynens.github.io/rel-noopener/
- https://dev.to/ben/the-targetblank-vulnerability-by-example
Some hackerone reports –
- https://hackerone.com/reports/179568
- https://hackerone.com/reports/23386
- https://hackerone.com/reports/211065
How to fix this type of bug
This can be simply fixed by adding a rel="noopener nofollow" attribute
Before fixing
1
<a href="https://0xprashant.github.io/posts/htb-magic/" target="_blank" >Magic</a>
after fix
1
<a href="https://0xprashant.github.io/posts/htb-magic/" target="_blank" rel="noopener nofollow">Magic</a>
and yes , it will be fixed
Thanks for Reading , i really appreciate it
You can support me on https://www.buymeacoffee.com/0xprashant to motivate me to write these type of writeups
I am thinking to upload some more bug Bounty Writeups along with hackthebox writeups on my blog so press the bell icon on the right side you are seeing and allow send notification