Pscan rule to check for rel=noopener

[psiinon]

As per https://groups.google.com/d/msg/zaproxy-users/caDa9my443k/isWGNZhPAAAJ and https://mathiasbynens.github.io/rel-noopener/

For working out which links are 'external' can use something like this: https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/pscanrules/CrossDomainScriptInclusionScanner.java#L136-L163

[kingthorin]

Ok so just to make sure we're all aligned, based on mathiasbynens site:

Recommendations To prevent pages from abusing window.opener, use rel=noopener. This ensures window.opener is null in Chrome 49 and Opera 36. For older browsers, you could use rel=noreferrer

So the new passive should check for crossdomain links with target="_blank" and alert if rel=noopener and rel=noreferrer are not set for the same tag? I guess rel=noopener noreferrer is also valid, if they're comma separated is that still valid? Will Jericho handle that without having to overthink it? What are people's feeling about the risk level for the alert(s)?

Looks like there's be talk about this since May-2016 at least: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

Slightly off-topic: I guess ZAP should have an isExternal or isCrossDomain function (or set of functions) in the core somewhere that scanners could leverage instead of duplicating (CrossDomainScriptInclusionScanner.java#L136-L163)? [Though that's longer term than this ticket.]

[kingthorin]

Can someone confirm (or correct) my understanding above? If so I'll start looking into implementing such a scan rule.

[thc202]

Fixed in zaproxy/zap-extensions#1365.

[thc202]

Released in version 19 of Passive scanner rules (alpha) add-on.

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.