The target="_blank" vulnerability by example

Hi, I’m Anselm Hannemann. Freelance webdesigner, frontend engineer, advisor. Curating WDRL, growing vegetables on a market garden farm.

This link appeared in WDRL 151 on 26.08.2016.

The target="_blank" vulnerability by example

I recently shared an attack abusing target="_blank" on pages where users can add custom URLs. To make clear how bad the attack is, Ben Halpern now shows how he made it work on Instagram (they fixed it pretty fast). . So remember to use rel="noopener" for any URL that you didn’t hard-code into the source.