CyberCode Academy

Course 38 - Web Security Known Web Attacks | Episode 4: From Phishing to Reverse Clickjacking


Listen Later

In this lesson, you’ll learn about: window.opener risks, phishing via tab manipulation, and Same Origin Method Execution (SOME)1. What is window.openerUsing JavaScript:🔹 Definition:
  • A property that gives a newly opened tab access to its parent tab
🔹 When it exists:
  • When a link uses target="_blank"
👉 Key Insight
A child tab can control or modify the parent tab2. Why window.opener is Dangerous🔹 Core issue:
  • Trust between tabs is implicit
🔹 Risk:
  • The new tab may be malicious or compromised
👉 Key Insight
Opening external links creates a hidden trust boundary3. Phishing via window.opener🔹 Attack flow:
  1. User clicks link on trusted site
  2. New tab opens (attacker-controlled)
  3. Attacker uses window.opener
  4. Parent tab is redirected to fake login page
👉 Key Insight
User thinks they’re still on the trusted site4. Why This Phishing Works🔹 Psychological factor:
  • User trusts the original tab
🔹 Technical factor:
  • URL changes silently in background
👉 Key Insight
This attack combines technical manipulation + human trust5. Same Origin Method Execution (SOME)🔹 Definition:
  • Triggering actions in another window using limited scripting capabilities
🔹 Also known as:
  • Reverse clickjacking
👉 Key Insight
Even without full XSS, attackers can still execute actions indirectly6. How SOME Works🔹 Core idea:
  • Child tab keeps reference to parent
  • Waits for parent to reach sensitive state
  • Triggers actions programmatically
👉 Key Insight
Timing + reference = powerful attack vector7. Weak Callback Exploitation🔹 Targets:
  • JSONP endpoints
  • Legacy browser integrations
🔹 Why they matter:
  • Accept limited characters
  • Still allow function execution
👉 Key Insight
Even restricted inputs can be abused for execution8. Example Impact of SOME🔹 Possible actions:
  • Trigger button clicks
  • Submit forms
  • Perform sensitive operations
👉 Key Insight
User doesn’t need to interact—actions happen silently9. Relation to Other Attacks🔹 Similar to:
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
🔹 Difference:
  • Uses browser relationships instead of direct injection
👉 Key Insight
SOME is a bypass technique when XSS/CSRF are blocked10. Preventing window.opener Attacks🔹 Best practices:
  • Add rel="noopener noreferrer" to links
  • Avoid unnecessary target="_blank"
  • Use strict Content Security Policy (CSP)
👉 Key Insight
You must explicitly break the opener relationship11. Defense Against SOME🔹 Strategies:
  • Avoid JSONP and legacy callbacks
  • Validate all actions server-side
  • Implement CSRF protections
👉 Key Insight
Never rely on client-side trust12. Big Security Lesson🔹 Core idea:
  • Browser features can be weaponized
🔹 Reality:
  • Even “normal” functionality can become an attack vector
👉 Key Insight
Security requires understanding how features interact, not just codeKey Takeaways
  • window.opener allows child tabs to control parent tabs
  • Can be used for stealth phishing attacks
  • SOME enables action execution without full XSS
  • Legacy features increase risk
  • Proper link attributes and validation are critical
Big PictureYou are learning:👉 How browser tab relationships create vulnerabilities
👉 How attackers exploit trust and timing
👉 How modern defenses evolved from these weaknessesMental ModelUser click → new tab → opener reference → parent manipulation → exploitation

You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
...more
View all episodesView all episodes
Download on the App Store

CyberCode AcademyBy CyberCode Academy