In this blog we gonna see about the Tabnabbing
Cyber attacks have grown from $3 trillion/year in 2015 to $10 trillion/year in 2022. 43% of the attacks are aimed at small businesses and only 14% are prepared to defend. The most common types of cyber attacks on small businesses are:
- Phishing/Social Engineering: 57%
- Compromised/Stolen Devices: 33%
- Credential Theft: 30%
Phishing attack is a method which is used by illegal computer experts to steal data, including login credentials and credit card numbers. An attacker acts as a trusted entity, dupes a victim into opening an email, text or dangerous links. The victim will be tricked to click/download malicious content, that results in stealing of sensitive information of the victim.
Social Engineering is a collection of methods used to trick people into performing actions or revealing sensitive information. One of the technology-based-attack is the Tabnabbing attack, coined by Aza Raskin in 2010 as a type of Phishing attack.
Anatomy of Tabnabbing:
In 2010, aza raskin dubbes an attack that will assist the phishing greatly with a name of tabnabbing which is elaborates as tab+kidnapping.
According to Raskin, an example of successful Tabnabbing attack will start with:
- Victim opened the page of the link and discovered a normal with non-harmful looking page
- The page will detect that it has not been interacted with for a while after being left unattended for a certain moment as victim switch his/her focus to the other tabs
- Using the page’s favicon and title visible by glancing at the tab, the victim will switch back to the page. There is a probability for the victim not tore-inspect the URL of the page
- If it is a phishing site, the victim will provide his/her credentials as he/she assumes that he/she has been logged out from the site. Otherwise, the malicious content of the page will be triggered and worked as the attacker intended
- After the victim has given the login information and the page has sent it back to the attacker’s server, the victim will be redirected the victim to the original site imitated by the phishing site (Fig. 1)
How to Reproduce?
- Step 1: We require three html files with a code snippet similar to what is provided below:
FileName - attacker.html -------------------- <!DOCTYPE html> <html> <body> <h1>Attackers Website</h1> <script> window.opener.location = "http://127.0.0.1:8000/DupRentlyMain.html"; </script> </body> </html> FileName - DupRentlyMain.html -------------------- <!DOCTYPE html> <html> <body> <h1> Duplicate Rently Main Website Controlled by Attacker</h1> </body> </html> FileName - RentlyMain.html -------------------- <!DOCTYPE html> <html> <body> <h1>Rently Main Website</h1> <a href="http://127.0.0.1:8000/attacker.html" target="_blank" rel="opener">Controlled by the attacker</a> </body> </html>
- Step 2: Run the below command to run a local web server powered by python
python3 -m http.server
- Step 3: Open http://127.0.0.1:8000/RentlyMain.html
- Step 4: Once clicked on the “Controlled by the attacker” link, a new tab opens with the link – http://127.0.0.1:8000/attacker.html
- Step 5: Observe the Original tab change to http://127.0.0.1:8000/DupRentlyMain.html.
- The Original website is http://127.0.0.1:8000/RentlyMain.html and this page uses target=’_blank’ attribute with rel=’opener’ attribute of the anchor tag which link to the attackers site (http://127.0.0.1:8000/attacker.html).
- Please refer to Fig. 2 for the Live demo.
How to Test?
Check the HTML files in the application to see if links with target=”_blank” are using the noopener and noreferrer keywords in the rel attribute. If not, it is likely that the application is vulnerable to tabnabbing. Such a link becomes exploitable if it either points to a third-party site. That has been compromises by the attacker, or if it is user-controlles.
Check for places where an attacker can insert links, i.e. control the href argument of an <a> tag. Try to insert a link to a page which has the source code given in the above example, and see if the original domain redirects. We can aslo do this in IE if other browsers don’t work.
How to Prevent?
We can prevent this by below actions:
- For HTML linker, add attribute rel=”noopener noreferrer” to every link.
window.open(url, name, 'noopener,noreferrer,' + windowFeatures);
- Add HTTP response header Referrer-Policy: no-referrer to every HTTP response sent by the application.
Get to know about Rently at https://use.rently.com/
To learn more about Engineering topics visit – https://engineering.rently.com
Associate DevSecOps Engineer | Rently