hacktricks/pentesting-web/reverse-tab-nabbing.md

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako inayotangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>


# Maelezo

Katika hali ambapo **mshambuliaji** anaweza **kudhibiti** hoja ya **`href`** ya lebo ya **`<a`** na sifa ya **`target="_blank" rel="opener"`** ambayo itabonyezwa na mwathirika, **mshambuliaji** anaweza **kuielekeza** **kiunga** hiki kwenye wavuti chini ya udhibiti wake (wavuti **mbaya**). Kisha, mara tu **mwathirika anapobonyeza** kiunga na kufikia wavuti ya mshambuliaji, wavuti hii **mbaya** itaweza **kudhibiti** **ukurasa** **asili** kupitia kitu cha javascript **`window.opener`**.\
Ikiwa ukurasa hauna **`rel="opener"` lakini una `target="_blank"` na hauna `rel="noopener"`** pia inaweza kuwa na udhaifu.

Njia ya kawaida ya kutumia tabia hii ni **kubadilisha eneo la wavuti asili** kupitia `window.opener.location = https://attacker.com/victim.html` kwenda kwenye wavuti inayodhibitiwa na mshambuliaji ambayo **inafanana na ile asili**, ili iweze **kuiga** **fomu ya kuingia** ya wavuti asili na kuomba sifa za mtumiaji.

Hata hivyo, kumbuka kwamba sasa **mshambuliaji anaweza kudhibiti kitu cha dirisha cha wavuti asili** anaweza kukitumia kwa njia nyingine kufanya **mashambulizi ya siri** (labda kwa kubadilisha matukio ya javascript ili kutoa habari kwa seva inayodhibitiwa na yeye?)

# Muhtasari

## Na kiunga cha nyuma

Kiunga kati ya kurasa ya mzazi na mtoto wakati sifa ya kuzuia haijatumika:

![https://owasp.org/www-community/assets/images/TABNABBING_OVERVIEW_WITH_LINK.png](https://owasp.org/www-community/assets/images/TABNABBING\_OVERVIEW\_WITH\_LINK.png)

## Bila kiunga cha nyuma

Kiunga kati ya kurasa ya mzazi na mtoto wakati sifa ya kuzuia inatumika:

![https://owasp.org/www-community/assets/images/TABNABBING_OVERVIEW_WITHOUT_LINK.png](https://owasp.org/www-community/assets/images/TABNABBING\_OVERVIEW\_WITHOUT\_LINK.png)

## Mifano <a href="#examples" id="examples"></a>

Unda kurasa zifuatazo kwenye saraka na endesha seva ya wavuti na `python3 -m http.server`\
Kisha, **fikia** `http://127.0.0.1:8000/`vulnerable.html, **bonyeza** kiunga na uone jinsi **URL** ya **wavuti asili** **inavyobadilika**.

{% code title="vulnerable.html" %}
```markup
<!DOCTYPE html>
<html>
<body>
<h1>Victim Site</h1>
<a href="http://127.0.0.1:8000/malicious.html" target="_blank" rel="opener">Controlled by the attacker</a>
</body>
</html>
```
{% code title="malicious.html" %}
```markup
<!DOCTYPE html>
<html>
<body>
<script>
window.opener.location = "http://127.0.0.1:8000/malicious_redir.html";
</script>
</body>
</html>
```
{% code title="malicious_redir.html" %}
```markup
<!DOCTYPE html>
<html>
<body>
<h1>New Malicious Site</h1>
</body>
</html>
```
{% endcode %}

## Maliwazo yanayoweza kufikiwa <a href="#accessible-properties" id="accessible-properties"></a>

Katika hali ambapo ufikiaji wa **msalaba-eneo** unatokea (ufikiaji kati ya uwanja tofauti), maliwazo ya darasa la JavaScript la **window**, yanayotajwa na kumbukumbu ya kitu cha JavaScript cha **opener**, ambayo yanaweza kufikiwa na tovuti yenye nia mbaya ni mdogo kwa yafuatayo:

- **`opener.closed`**: Mali hii inatumika kuamua ikiwa dirisha limefungwa, ikirudisha thamani ya boolean.
- **`opener.frames`**: Mali hii inatoa ufikiaji kwa vipengele vyote vya iframe ndani ya dirisha la sasa.
- **`opener.length`**: Idadi ya vipengele vya iframe vilivyopo katika dirisha la sasa inarudishwa na mali hii.
- **`opener.opener`**: Kumbukumbu kwa dirisha ambalo lilifungua dirisha la sasa inaweza kupatikana kupitia mali hii.
- **`opener.parent`**: Mali hii inarudisha dirisha mama ya dirisha la sasa.
- **`opener.self`**: Ufikiaji kwa dirisha la sasa yenyewe unatolewa na mali hii.
- **`opener.top`**: Mali hii inarudisha dirisha la kivinjari cha juu kabisa.

Hata hivyo, katika hali ambapo uwanja ni sawa, tovuti yenye nia mbaya inapata ufikiaji wa mali zote zinazofichuliwa na kumbukumbu ya kitu cha JavaScript cha [**window**](https://developer.mozilla.org/en-US/docs/Web/API/Window).

# Kuzuia

Maelezo ya kuzuia yameandikwa katika [HTML5 Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTML5\_Security\_Cheat\_Sheet.html#tabnabbing).

## Marejeo

* [https://owasp.org/www-community/attacks/Reverse_Tabnabbing](https://owasp.org/www-community/attacks/Reverse_Tabnabbing)


<details>

<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako inatangazwa katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au **kikundi cha** [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* Ikiwa unataka kuona kampuni yako inayotangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia [MPANGO WA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [swag rasmi ya PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) ya kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au [kikundi cha telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`


Translated to Swahili 2024-02-11 02:13:58 +00:00			`# Maelezo`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			Katika hali ambapo mshambuliaji anaweza kudhibiti hoja ya `href` ya lebo ya `<a` na sifa ya `target="_blank" rel="opener"` ambayo itabonyezwa na mwathirika, mshambuliaji anaweza kuielekeza kiunga hiki kwenye wavuti chini ya udhibiti wake (wavuti mbaya). Kisha, mara tu mwathirika anapobonyeza kiunga na kufikia wavuti ya mshambuliaji, wavuti hii mbaya itaweza kudhibiti ukurasa asili kupitia kitu cha javascript `window.opener`.\
			Ikiwa ukurasa hauna `rel="opener"` lakini una `target="_blank"` na hauna `rel="noopener"` pia inaweza kuwa na udhaifu.
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			Njia ya kawaida ya kutumia tabia hii ni kubadilisha eneo la wavuti asili kupitia `window.opener.location = https://attacker.com/victim.html` kwenda kwenye wavuti inayodhibitiwa na mshambuliaji ambayo inafanana na ile asili, ili iweze kuiga fomu ya kuingia ya wavuti asili na kuomba sifa za mtumiaji.
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Hata hivyo, kumbuka kwamba sasa mshambuliaji anaweza kudhibiti kitu cha dirisha cha wavuti asili anaweza kukitumia kwa njia nyingine kufanya mashambulizi ya siri (labda kwa kubadilisha matukio ya javascript ili kutoa habari kwa seva inayodhibitiwa na yeye?)`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`# Muhtasari`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Na kiunga cha nyuma`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Kiunga kati ya kurasa ya mzazi na mtoto wakati sifa ya kuzuia haijatumika:`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
a 2024-02-06 03:10:38 +00:00			`![https://owasp.org/www-community/assets/images/TABNABBING_OVERVIEW_WITH_LINK.png](https://owasp.org/www-community/assets/images/TABNABBING\_OVERVIEW\_WITH\_LINK.png)`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Bila kiunga cha nyuma`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Kiunga kati ya kurasa ya mzazi na mtoto wakati sifa ya kuzuia inatumika:`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
a 2024-02-06 03:10:38 +00:00			`![https://owasp.org/www-community/assets/images/TABNABBING_OVERVIEW_WITHOUT_LINK.png](https://owasp.org/www-community/assets/images/TABNABBING\_OVERVIEW\_WITHOUT\_LINK.png)`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Mifano <a href="#examples" id="examples"></a>`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			Unda kurasa zifuatazo kwenye saraka na endesha seva ya wavuti na `python3 -m http.server`\
			Kisha, fikia `http://127.0.0.1:8000/`vulnerable.html, bonyeza kiunga na uone jinsi URL ya wavuti asili inavyobadilika.
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
			`{% code title="vulnerable.html" %}`
			```markup
			`<!DOCTYPE html>`
			`<html>`
			`<body>`
			`<h1>Victim Site</h1>`
			`<a href="http://127.0.0.1:8000/malicious.html" target="_blank" rel="opener">Controlled by the attacker</a>`
			`</body>`
			`</html>`
			```
			`{% code title="malicious.html" %}`
			```markup
			`<!DOCTYPE html>`
			`<html>`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`<body>`
			`<script>`
			`window.opener.location = "http://127.0.0.1:8000/malicious_redir.html";`
			`</script>`
			`</body>`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00			`</html>`
			```
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`{% code title="malicious_redir.html" %}`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00			```markup
			`<!DOCTYPE html>`
			`<html>`
			`<body>`
			`<h1>New Malicious Site</h1>`
			`</body>`
			`</html>`
			```
			`{% endcode %}`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Maliwazo yanayoweza kufikiwa <a href="#accessible-properties" id="accessible-properties"></a>`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Katika hali ambapo ufikiaji wa msalaba-eneo unatokea (ufikiaji kati ya uwanja tofauti), maliwazo ya darasa la JavaScript la window, yanayotajwa na kumbukumbu ya kitu cha JavaScript cha opener, ambayo yanaweza kufikiwa na tovuti yenye nia mbaya ni mdogo kwa yafuatayo:`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			- `opener.closed`: Mali hii inatumika kuamua ikiwa dirisha limefungwa, ikirudisha thamani ya boolean.
			- `opener.frames`: Mali hii inatoa ufikiaji kwa vipengele vyote vya iframe ndani ya dirisha la sasa.
			- `opener.length`: Idadi ya vipengele vya iframe vilivyopo katika dirisha la sasa inarudishwa na mali hii.
			- `opener.opener`: Kumbukumbu kwa dirisha ambalo lilifungua dirisha la sasa inaweza kupatikana kupitia mali hii.
			- `opener.parent`: Mali hii inarudisha dirisha mama ya dirisha la sasa.
			- `opener.self`: Ufikiaji kwa dirisha la sasa yenyewe unatolewa na mali hii.
			- `opener.top`: Mali hii inarudisha dirisha la kivinjari cha juu kabisa.
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Hata hivyo, katika hali ambapo uwanja ni sawa, tovuti yenye nia mbaya inapata ufikiaji wa mali zote zinazofichuliwa na kumbukumbu ya kitu cha JavaScript cha [window](https://developer.mozilla.org/en-US/docs/Web/API/Window).`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`# Kuzuia`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Maelezo ya kuzuia yameandikwa katika [HTML5 Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTML5\_Security\_Cheat\_Sheet.html#tabnabbing).`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Marejeo`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
a 2024-02-06 03:10:38 +00:00			`* [https://owasp.org/www-community/attacks/Reverse_Tabnabbing](https://owasp.org/www-community/attacks/Reverse_Tabnabbing)`
GitBook: [master] 456 pages modified 2021-05-01 15:23:19 +00:00
fix bad chars 2022-04-05 22:24:52 +00:00
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* Ikiwa unataka kuona kampuni yako inatangazwa katika HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia [MPANGO WA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [swag rasmi wa PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [The PEASS Family](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) za kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha [telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Shiriki mbinu zako za udukuzi kwa kuwasilisha PR kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`