Skip to Content
Documentationwindow.open()

window.open()

Window name hijacking

The page needs to be iframe-able and should open a new window with a the second attribute, like window.open(url, 'abc').

In this scenario:

  • On the attacker page: You create a new iframe with name abc. This will be loaded in the browsing context
  • Then, you window.open() the page that fulfils the attack requirements
  • Vulnerable page: this will window.open(..., 'abc'). Since we have already created an iframe with name abc, this will load in the iframe

This could be found in the following scenario (but not limited to):

  • OAuth

Expand to see code for windowNameHijacking...

Ref: CTBB 

Tabnabbing

If a page opens a new tab with window.open("https://example.com", "_blank") without rel="noopener", the new page can access the original page’s window object.

Expand to see code for tabnabbing...

Ref: HackerOne/#3367676 

Last updated on
postMessage based XSSMass Assignment