OpenSkillIndex← back to search

Hacktricks-skills reverse-tab-nabbing

Security skill for identifying and fixing reverse tab nabbing vulnerabilities in HTML links. Use this skill whenever you need to audit HTML code for target="_blank" security issues, review link patterns, or secure web applications against window.opener attacks. This skill helps detect vulnerable anchor tags and provides remediation guidance. Make sure to use this skill when reviewing any HTML with external links, auditing web applications for security vulnerabilities, or when users mention phishing, link security, or target blank issues.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/reverse-tab-nabbing/SKILL.MD
source content

Reverse Tab Nabbing Security Skill

A skill for identifying, understanding, and preventing reverse tab nabbing vulnerabilities in web applications.

What is Reverse Tab Nabbing?

Reverse tab nabbing is a security vulnerability where an attacker controls the 

href
of an 
<a>
tag with 
target="_blank"
and 
rel="opener"
. When a victim clicks the link, the attacker's malicious website gains control over the original page via 
window.opener
, allowing them to:

  • Redirect the original page to a phishing site that mimics the legitimate site
  • Modify the page content to steal credentials
  • Exfiltrate data through JavaScript events
  • Perform other stealthy attacks on the original window

When to Use This Skill

Use this skill when:

  • Auditing HTML code for security vulnerabilities
  • Reviewing link patterns in web applications
  • Securing applications that use 
    target="_blank"
    links
  • Investigating potential window.opener attacks
  • Creating secure link patterns for web development
  • Users mention phishing, link security, or target blank issues

Vulnerable Patterns

Pattern 1: Explicit 
rel="opener"

<a href="https://attacker.com" target="_blank" rel="opener">Click me</a>

Status: VULNERABLE - Direct window.opener access

Pattern 2: Missing 
rel
attribute with 
target="_blank"

<a href="https://attacker.com" target="_blank">Click me</a>

Status: VULNERABLE - Modern browsers may still allow opener access

Pattern 3: Incomplete 
rel
attribute

<a href="https://attacker.com" target="_blank" rel="noopener">Click me</a>

Status: PARTIALLY SECURE - Missing noreferrer for referrer protection

Pattern 4: Secure pattern

<a href="https://example.com" target="_blank" rel="noopener noreferrer">Safe link</a>

Status: SECURE - Proper protection against reverse tab nabbing

Detection

Manual Review Checklist

When reviewing HTML code, check for:

  1. All 
    <a>
    tags with 
    target="_blank"
     - These require 
    rel="noopener noreferrer"
  2. Dynamic link generation - Check JavaScript that creates links programmatically
  3. Third-party integrations - External links from APIs or user-generated content
  4. Email templates - HTML emails often have vulnerable link patterns

Automated Scanning

Use the bundled script to scan HTML files:

python scripts/scan_reverse_tab_nabbing.py <path-to-html-files>

The script will:

  • Find all anchor tags with 
    target="_blank"
  • Identify missing or incomplete 
    rel
    attributes
  • Generate a detailed report with line numbers and remediation

Remediation

Fix Vulnerable Links

Before:

<a href="https://external-site.com" target="_blank">Visit Site</a>

After:

<a href="https://external-site.com" target="_blank" rel="noopener noreferrer">Visit Site</a>

Why Both Attributes?

  • noopener
    : Prevents the new page from accessing 
    window.opener
  • noreferrer
    : Prevents leaking referrer information to the external site

For JavaScript-Generated Links

// Vulnerable
const link = document.createElement('a');
link.href = externalUrl;
link.target = '_blank';

// Secure
const link = document.createElement('a');
link.href = externalUrl;
link.target = '_blank';
link.rel = 'noopener noreferrer';

Testing the Vulnerability

Create Test Files

To verify your understanding, create these test files:

vulnerable.html:

<!DOCTYPE html>
<html>
<body>
<h1>Victim Site</h1>
<a href="http://127.0.0.1:8000/malicious.html" target="_blank" rel="opener">Controlled by attacker</a>
</body>
</html>

malicious.html:

<!DOCTYPE html>
<html>
<body>
<script>
window.opener.location = "http://127.0.0.1:8000/phishing.html";
</script>
</body>
</html>

phishing.html:

<!DOCTYPE html>
<html>
<body>
<h1>Phishing Site - Looks like original</h1>
<form>
  <input type="text" placeholder="Username">
  <input type="password" placeholder="Password">
  <button>Login</button>
</form>
</body>
</html>

Run with: 

python3 -m http.server 8000

Access 

http://127.0.0.1:8000/vulnerable.html
and click the link to observe the redirect.

Accessible Properties (Cross-Origin)

When cross-origin access occurs, these window properties are accessible via 

window.opener
:

  • opener.closed
    - Boolean indicating if window is closed
  • opener.frames
    - Access to iframe elements
  • opener.length
    - Number of iframe elements
  • opener.opener
    - Reference to opening window
  • opener.parent
    - Parent window reference
  • opener.self
    - Current window reference
  • opener.top
    - Topmost browser window

When domains are identical, ALL window properties are accessible.

Prevention Best Practices

  1. Always use 
    rel="noopener noreferrer"
     with 
    target="_blank"
  2. Audit existing codebases for vulnerable patterns
  3. Update CSS frameworks that may generate vulnerable links
  4. Train developers on this vulnerability
  5. Include in security reviews as a standard checklist item
  6. Use linters to catch missing rel attributes

References