Course 38 - Web Security Known Web Attacks | Episode 4: From Phishing to Reverse Clickjacking
In this lesson, you’ll learn about: window.opener risks, phishing via tab manipulation, and Same Origin Method Execution (SOME)1. What is window.openerUsing JavaScript:🔹 Definition:
A property that gives a newly opened tab access to its parent tab
🔹 When it exists:
When a link uses target="_blank"
👉 Key Insight A child tab can control or modify the parent tab2. Why window.opener is Dangerous🔹 Core issue:
Trust between tabs is implicit
🔹 Risk:
The new tab may be malicious or compromised
👉 Key Insight Opening external links creates a hidden trust boundary3. Phishing via window.opener🔹 Attack flow:
User clicks link on trusted site
New tab opens (attacker-controlled)
Attacker uses window.opener
Parent tab is redirected to fake login page
👉 Key Insight User thinks they’re still on the trusted site4. Why This Phishing Works🔹 Psychological factor:
User trusts the original tab
🔹 Technical factor:
URL changes silently in background
👉 Key Insight This attack combines technical manipulation + human trust5. Same Origin Method Execution (SOME)🔹 Definition:
Triggering actions in another window using limited scripting capabilities
🔹 Also known as:
Reverse clickjacking
👉 Key Insight Even without full XSS, attackers can still execute actions indirectly6. How SOME Works🔹 Core idea:
👉 Key Insight Even restricted inputs can be abused for execution8. Example Impact of SOME🔹 Possible actions:
Trigger button clicks
Submit forms
Perform sensitive operations
👉 Key Insight User doesn’t need to interact—actions happen silently9. Relation to Other Attacks🔹 Similar to:
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
🔹 Difference:
Uses browser relationships instead of direct injection
👉 Key Insight SOME is a bypass technique when XSS/CSRF are blocked10. Preventing window.opener Attacks🔹 Best practices:
Add rel="noopener noreferrer" to links
Avoid unnecessary target="_blank"
Use strict Content Security Policy (CSP)
👉 Key Insight You must explicitly break the opener relationship11. Defense Against SOME🔹 Strategies:
Avoid JSONP and legacy callbacks
Validate all actions server-side
Implement CSRF protections
👉 Key Insight Never rely on client-side trust12. Big Security Lesson🔹 Core idea:
Browser features can be weaponized
🔹 Reality:
Even “normal” functionality can become an attack vector
👉 Key Insight Security requires understanding how features interact, not just codeKey Takeaways
window.opener allows child tabs to control parent tabs
Can be used for stealth phishing attacks
SOME enables action execution without full XSS
Legacy features increase risk
Proper link attributes and validation are critical
Big PictureYou are learning:👉 How browser tab relationships create vulnerabilities 👉 How attackers exploit trust and timing 👉 How modern defenses evolved from these weaknessesMental ModelUser click → new tab → opener reference → parent manipulation → exploitation
You can listen and download our episodes for free on more than 10 different platforms: https://linktr.ee/cybercode_academy
Course 38 - Web Security Known Web Attacks | Episode 4: From Phishing to Reverse Clickjacking
In this lesson, you’ll learn about: window.opener risks, phishing via tab manipulation, and Same Origin Method Execution (SOME)1. What is window.openerUsing JavaScript:🔹 Definition:
A property that gives a newly opened tab access to its parent tab
🔹 When it exists:
When a link uses target="_blank"
👉 Key Insight A child tab can control or modify the parent tab2. Why window.opener is Dangerous🔹 Core issue:
Trust between tabs is implicit
🔹 Risk:
The new tab may be malicious or compromised
👉 Key Insight Opening external links creates a hidden trust boundary3. Phishing via window.opener🔹 Attack flow:
User clicks link on trusted site
New tab opens (attacker-controlled)
Attacker uses window.opener
Parent tab is redirected to fake login page
👉 Key Insight User thinks they’re still on the trusted site4. Why This Phishing Works🔹 Psychological factor:
User trusts the original tab
🔹 Technical factor:
URL changes silently in background
👉 Key Insight This attack combines technical manipulation + human trust5. Same Origin Method Execution (SOME)🔹 Definition:
Triggering actions in another window using limited scripting capabilities
🔹 Also known as:
Reverse clickjacking
👉 Key Insight Even without full XSS, attackers can still execute actions indirectly6. How SOME Works🔹 Core idea:
👉 Key Insight Even restricted inputs can be abused for execution8. Example Impact of SOME🔹 Possible actions:
Trigger button clicks
Submit forms
Perform sensitive operations
👉 Key Insight User doesn’t need to interact—actions happen silently9. Relation to Other Attacks🔹 Similar to:
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
🔹 Difference:
Uses browser relationships instead of direct injection
👉 Key Insight SOME is a bypass technique when XSS/CSRF are blocked10. Preventing window.opener Attacks🔹 Best practices:
Add rel="noopener noreferrer" to links
Avoid unnecessary target="_blank"
Use strict Content Security Policy (CSP)
👉 Key Insight You must explicitly break the opener relationship11. Defense Against SOME🔹 Strategies:
Avoid JSONP and legacy callbacks
Validate all actions server-side
Implement CSRF protections
👉 Key Insight Never rely on client-side trust12. Big Security Lesson🔹 Core idea:
Browser features can be weaponized
🔹 Reality:
Even “normal” functionality can become an attack vector
👉 Key Insight Security requires understanding how features interact, not just codeKey Takeaways
window.opener allows child tabs to control parent tabs
Can be used for stealth phishing attacks
SOME enables action execution without full XSS
Legacy features increase risk
Proper link attributes and validation are critical
Big PictureYou are learning:👉 How browser tab relationships create vulnerabilities 👉 How attackers exploit trust and timing 👉 How modern defenses evolved from these weaknessesMental ModelUser click → new tab → opener reference → parent manipulation → exploitation
You can listen and download our episodes for free on more than 10 different platforms: https://linktr.ee/cybercode_academy