Forum Thread: Playing with Browser Tabs to Trick the User (Advanced Phishing) By : Mohamed Ahmed

Traditional phishing works mainly by sending users an email with a link that, if punched, will redirect them to a malicious site, usually a fake website pretending to be a legitimate one. But what if the redirect to the fake site occurs inadvertently on one of multiple tabs open in the browser?

Today we are going to see two ingenious ways to get it. The first so-called Windows hijacking that will set a counter when opening a tab that once reaches 0 will change the location to the fraudulent page. The second call 'tap nabbing' will change the content equally but in another tab that the user is not seeing at that moment. That way when the user returns to the tab he will believe that he left it open (eg Gmail) and will be logging again. Window hijacking It is known that setting a tag with an attribute like _blank has certain security risks: This is because a new open page has the ability to change the location of the window (windows location) with the following:

window.opener.location = ""

In addition it is also possible to create a web page with the ability to create a new page in a new tab, and then change the location of the newly created page after a period arbitrary time. This can be achieved as follows:

var windowHijack = function(){'', 'test');
setTimeout(function(){'', 'test');}, 300000);
<button onclick="windowHijack()">Open Window!</button>

In the previous example, a new window opens when the button is pressed and, 5 minutes later, the new window will change its location. Even if the new tab is navigated to another website or updated, the original site could still change the location.

.Demo1 In this example, it links to a login page and the timer is set to 5 seconds. When time runs out, the legitimate login page is changed to an illegitimate login page that has a keylogger installed. Demo2 In this secondary example, the attack is combined with Pastejacking . First the link points to and, after being opened, a second 5 second timer will change the location of the legitimate serverfault website to an evil clone of the original page, with pastejacking code. This causes any user who tries to copy the response instead to inject "cat / etc / passwd \ n" into their clipboard. Tap nabbing Open tabs or windows using JavaScript or limited access to parent window, ignoring cross-origin restrictions. These include the ability to redirect the parent tab or window using window.opener.location. While this may seem harmless, it is possible to perform a phishing attack when web applications allow or use anchors with or (). Imagine the following scenario, the most typical:

You are an administrator using some forum or chat software. You are currently connected to the application, and you see a message left by a user. The user requests or persuades you to click on a link in your message, which opens in a new tab. While the new page may seem completely secure - perhaps just a screenshot or an error in HTML - it executes the following JS: window.opener.location.assign (''); What you do not realize is that when dealing with this illegitimate client or user complaint, the application's tab was redirected in the background. To what? To an identical phishing website, which asks you to enter your credentials to re-enter.


A link that opens _blank in a new tab. The JavaScript code that runs on the new tab has a handler with window.opener. The open page opens a fake Github page with the message "Timeout, please log in again". The user closes the open tab and returns to what he thinks is GitHub, where he reinserts the credentials.

see you later .

greetings // m.ahmed
git demos links

Join the Next Reality AR Community

Get the latest in AR — delivered straight to your inbox.

2 Responses

Where do i put that script and how do i compile it?

i will make a demo video bro , i was busy these days there is a second part don't worry

Share Your Thoughts

  • Hot
  • Active