CWE

Common Weakness Enumeration

社区开发的软件和硬件弱点类型清单
2021 CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
>CWE列表> cwe-单个字典定义(4.10)
ID

CWE-1022: Use of Web Link to Untrusted Target with window.opener Access

Weakness ID: 1022
抽象:Variant
结构:Simple
View customized information:
+Description
The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.
+Extended Description
When a user clicks a link to an external site ("target"), the target="_blank" attribute causes the target site's contents to be opened in a new window or tab, which runs in the same process as the original page. The window.opener object records information about the original page that offered the link. If an attacker can run script on the target page, then they could read or modify certain properties of the window.opener object, including the location property - even if the original and target site are not the same origin. An attacker can modify the location property to automatically redirect the user to a malicious site, e.g. as part of a phishing attack. Since this redirect happens in the original window/tab - which is not necessarily visible, since the browser is focusing the display on the new target page - the user might not notice any suspicious redirection.
+Alternate Terms
tabnabbing
+关系
部分帮助该表显示了与该弱点相关的弱点和高级类别。这些关系定义为childof,parentof,ementof,并深入了解可能存在于较高和较低抽象水平的类似项目。此外,定义了诸如Peerof和Canalsobe之类的关系,以显示用户可能想要探索的类似弱点。
+Relevant to the view "Research Concepts" (CWE-1000)
Nature Type ID 姓名
ChildOf 根据基础 - 仍然主要独立于资源或技术的弱点,但有足够的细节来提供特定的检测和预防方法。基本水平的弱点通常用以下维度的2或3来描述问题:行为,财产,技术,语言和资源。 266 不正确的特权分配
+Modes Of Introduction
部分帮助The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.
阶段 Note
Architecture and Design This weakness is introduced during the design of an application when the architect does not specify that a linked external document should not be able to alter the location of the calling page.
Implementation 当开发人员不包含rel属性的noopener和/或noreferrer值时,在应用程序编码期间引入了这种弱点。
+适用的平台
部分帮助This listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.

Languages

JavaScript(Often Prevalent)

Technologies

课程:基于Web的(Often Prevalent)

+Common Consequences
部分帮助该表指定与弱点相关的不同个人后果。该范围确定了违反的应用程序安全区域,而影响描述了如果对手成功利用这一弱点,就会产生负面的技术影响。其可能性提供了有关预期相对于列表中其他后果的特定后果的可能性的信息。例如,可能会利用弱点来实现一定的影响,但很可能会利用它来实现不同的影响。
范围 影响 可能性
保密

Technical Impact:Alter Execution Logic

可以将用户重定向到包含不希望的内容或恶意脚本代码的不信任页面。
+利用的可能性
中等的
+Demonstrative Examples

Example 1

In this example, the application opens a link in a named window/tab without taking precautions to prevent the called page from tampering with the calling page's location in the browser.

通常有两种方法可以看到这种弱点。第一个是当应用程序生成标签与target =“ _ blank”指向目标站点时:

如果攻击者在此链接上提供了有用的页面(或损害了受信任的流行站点),则用户可以单击此链接。但是,攻击者可以使用脚本代码修改窗口。开放器的位置属性将应用程序重定向到恶意,攻击者控制的页面 - 例如模仿原始应用程序的外观和感觉的页面,并说服用户重新输入。身份验证证书,即网络钓鱼:

(attack code)
Example Language:JavaScript
window.opener.location ='http://phishing.example.org/popular-bank-page';

为了减轻这种类型的弱点,一些浏览器支持具有“ noopener”值的“ rel”属性,该属性设置了窗口。开机对象等于null。另一个选择是将“ rel”属性与“ noreferrer”的值一起使用,从本质上讲,该属性可以使用相同的事情。

通常看到这种弱点的第二种方法是直接在JavaScript中打开新站点时。在这种情况下,使用window.open()函数打开一个新站点。

(不良代码)
Example Language:JavaScript
var newWindow = window.open("http://attacker-site.example.com/useful-page.html", "_blank");

To mitigate this, set the window.opener object to null.

(good code)
Example Language:JavaScript
var newWindow = window.open("http://attacker-site.example.com/useful-page.html", "_blank");
newWindow.opener = null;
+潜在的缓解

阶段:建筑和设计

在设计中指定任何链接的外部文档不得授予对调用页面的位置对象的访问。

阶段: Implementation

When creating a link to an external document using the tag with a defined target, for example "_blank" or a named frame, provide the rel attribute with a value "noopener noreferrer".

If opening the external document in a new window via javascript, then reset the opener by setting it equal to null.

阶段: Implementation

请勿使用“ _blank”目标。但是,这可能会影响应用程序的可用性。
+参考
[Ref-39] Alex Yumashev。“ target =“ _ blank” - 有史以来最低估的漏洞”。2016-05-04。<https://medium.com/@jitbit/target-blank-the-most-underimated-vulnerability-vulnerability-ever-96e328301f4c>。
[REF-40] Ben Halpern. "The target="_blank" vulnerability by example". 2016-09-11. <https://dev.to/ben/the-targetblank-vulnerability-by-example>。
[REF-958] Mathias Bynens. "About rel=noopener". 2016-03-15. <https://mathiasbynens.github.io/rel-noopener/>。
+Content History
+提交
提交日期 提交者 Organization
2017-09-26 大卫死亡 Silicon Valley Bank
+修改
修改日期 修饰符 Organization
2018-03-27 CWE内容团队 MITRE
updated Alternate_Terms, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, References
2020-02-24 CWE内容团队 MITRE
更新了适用的_platforms,关系
2021-07-20 CWE内容团队 MITRE
updated Potential_Mitigations
+Previous Entry Names
Change Date Previous Entry Name
2018-03-27 对窗口的跨原始许可的限制不当。
More information is available — Please select a different filter.
Page Last Updated:2023年1月31日

使用共同弱点枚举(CWE)和本网站的相关参考Terms of Use. CWE is sponsored by theU.S. Department of Homeland Security(DHS)网络安全和基础设施安全局(CISA),由国土安全系统工程和开发研究所(HSSEDI)由manbetx客户端首页(MITRE). Copyright © 2006–2023, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.