$ sudo docker pull blabla1337/owasp-skf-lab:tabnabbing
$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:tabnabbing
First, make sure python3 and pip are installed on your host machine. After installation, we go to the folder of the lab we want to practise "i.e /skf-labs/XSS/, /skf-labs/jwt-secret/ " and run the following commands:
$ pip3 install -r requirements.txt
$ python3 <labname>
Basically every application that opens a link to a "_blank" page is interesting to investigate.
<a href="example.com" taget="_blank">Follow this link</a>
Let's assume that the domain in the link of the following demo is under our control as a malicious attacker. When we click on the link 'Tab me" we find that a new page is opened on another browser tab. This is exactly the behaviour we are looking for!
If we were now to inspect the browsers source code of the target application, our assumptions are validated. We can perform a reverse tabnabbing phishing attack!
Now it is time to start our evil application to be able to serve our malicious script. We can easily achieve this by starting our own simple python flask app that could look like this:
from flask import Flask, request, url_for, render_template, redirectapp = Flask(__name__, static_url_path='/static', static_folder='static')app.config['DEBUG'] = True@app.route("/")def start():return render_template("evil.html")if __name__ == "__main__":app.run(host='0.0.0.0', port=1337)
Save the snippet above to > app.py and run the commands below to install some dependencies.
$ pip install flask$ pip install request$ python appname.py
Of course you can also run your app on whatever service you want it does not have to be python flask.
Now, after serving the evil web application open the target application and click on the link with the domain that is under our control. Notice how the parent tab immediately redirect itself to the web page of the security knowledge framework?
A visitor of an application that follows the link will be unexpectedly redirected to a phishing application. This evil application could look identical to the original application i.e. ask for the users credentials because his "session expired".