Tag: HTML Anchor Tag

How HTML Anchor Tag Could Be Used To Perform DDOS Attacks

Post author By Amar Nath
Post date May 13, 2019
No Comments on How HTML Anchor Tag Could Be Used To Perform DDOS Attacks

Chinese attackers have been using HTML Anchor tags to perform DDOS attacks across the world these days. This is one such instance where a seemingly benign feature addition done to the HTML technical specification has inadvertently opened a Pandora box of its misuse/abuse by hackers and attackers.

As mentioned in my introductory article to HTML Anchor Tags, Anchor tags are used to link documents present on the word wide web so that users of a web page can easily navigate to a new web page seamlessly from their web browsers.

An example of HTML code using anchor tags looks something like this:

<a href="https://muddoo.com" title="Muddoo Home">Muddoo</a>

While the above code is a standard way of using HTML anchor tags, there are also additional anchor tag attributes one can use to add new features to the anchor tag’s overall functionality. In our previous article we looked at the noopener attribute that ensures that when the respective anchor links are opened in a new window, they are opened in a separate thread all together and have no relationship to the parent web page in anyways. This ensured that Cross Site Script (XSS) attacks could not be made from child web page to the parent page.

Just like the noopener attribute, we have another attribute associated with the anchor tags that some hackers are misusing to perform DDOS attacks on other websites. This attribute is the “ping” attribute of the anchor tags!

What is HTML Ping Attribute?

Ping is a new attribute of an Anchor tag that was introduced in HTML5 specification. Ping attribute would list a set of one or more URLs that are pinged back whenever a user of a web page follows a hyperlink from that anchor tag.

The idea of introducing Ping attribute to anchor tags was to enable web administrators track clicks on that hyperlink. An example of how this attribute looks like is shown below:

<a href="https://google.com" ping="https://muddoo.com/tracker">Go to Google</a>

So in the above example, whenever a user clicks on “Go to Google” hyperlink, he will be taken to the Google home page, but at the same time, a ping POST message is sent back to the https://muddoo.com/tracker webpage for muddoo.com website to keep track of number of users going to Google through that hyperlink.

But the problem occurred when some of the Chinese hackers started using this innocuous feature to perform DDOS attacks on many websites. They simply created web page with links to standard websites such as Alibaba or Tabao, while using ping back links to their target websites. They specifically targeted people using QQBrowser (from Chinese giant Tencent) to use their web pages to reach standard websites. This resulted in millions of Ping request going back to targeted websites thus acting as a DDOS attack on these websites.

How to prevent Anchor Tag Ping attacks from your web pages?

With good understanding of how the attack is being performed, you must be wondering how you can prevent such DDOS attacks originating from your websites or getting attacked by one. But unfortunately, there are no clear solutions in place as the support for Ping requests are part of HTML 5 specifications so all browsers will be supporting it (well, more or less), so your only best possibilities will be to keep monitoring such activities on your web server and take appropriate action at the right moment.

Hope this article gave good introduction to the possible Ping DDOS attacks happening due to the presence of Ping attribute in the HTML Anchor tags. This article has been part of series of articles that I have been writing about HTML tags with this being the third article on HTML Anchor Tags.

If you would like to take a look at other two articles, you can follow these links:

Introduction To HTML Anchor Tag

What is noopener vulnerability found in anchor tags of HTML?

Until next time, happy coding! 🙂

Tags HTML Anchor Tag, HTML Interview, HTML Ping, HTML Vulnerabilities, Interview Questions, Vulnerabilities, vulnerability fix

HTML STATIC WEBSITES TUTORIALS WEB SERVER WORDPRESS

What is noopener vulnerability found in anchor tags of HTML?

Post author By Amar Nath
Post date May 13, 2019
1 Comment on What is noopener vulnerability found in anchor tags of HTML?

HTML anchor tags are used to link to different web pages available on the internet. We also frequently use “target” attribute with the anchor tags so that the linked web page is opened in a separate new window. This is achieved by using the anchor tag like this:

<a href="https://muddoo.com" target="_blank"title="Muddoo Home">Home</a>

Note that in the above code we set the “target” value to be _blank, which would result in the linked web page (https://muddoo.com in this case) to be opened in a new window.

However, it has been found that this can leave a possible vulnerability where in the remotely linked web page can take over control of your web page.

Why does this vulnerability happen?

This vulnerability of remotely linked web page taking over your web page (that is having the anchor tag) is because of the following reasons:

In normal scenario, whenever you open a new web page in your browser in a new window, the web page is running in its own separate thread.
Now when we open a link present in that web page, the new linked web page gets opened in a new window due to the presence of “target” attribute of the anchor tag. However, in this scenario, the newly opened web page is also running under its parent’s thread itself instead of its own thread.
As a result, the newly opened external web page has controls over its parent’s thread. There by creating a vulnerable situation!

How to overcome anchor tag’s “target” vulnerability?

We can overcome this “target” thread control vulnerability simply by introducing a new attribute to your anchor tags called the rel=”noopener” attribute.

Thus, the new fixed anchor tag would look something like this:

<a href="https://muddoo.com" target="_blank"title="Muddoo Home" rel="noopener">Home</a>

With this simple change, we can ensure that the newly opened web page runs in it’s own thread there by having no link to it’s parent thread in any way!

Hope you are now aware of this possible vulnerability and ensure you start using the rel=”noopener” attributes to all your web pages’ external links!

Happy coding! 🙂

Note: This article is continuation of my previous article Introduction To HTML Anchor Tag

Tags HTML Anchor Tag, HTML Interview, HTML noopener, Interview Questions, Vulnerabilities, vulnerability fix

CMS HTML STATIC WEBSITES TUTORIALS WEB SERVER WORDPRESS

Introduction To HTML Anchor Tag

Post author By Amar Nath
Post date May 13, 2019
1 Comment on Introduction To HTML Anchor Tag

Brief structure of an HTML Anchor tag — Typical HTML Anchor tag usage in web documents

Anchor tag is an HTML tag that is used to mark the beginning and end of a hyperlink text in the HTML document.

A website is made up of one or more HTML documents that contains all the information parts of the website. But word wide web as a whole mainly works because of the ability of these HTML web documents to link (or refer) to each other. This inter-linking of web pages is achieved by using the HTML anchor tags.

A typical structure of an anchor tag looks like this:

<a href="https://muddoo.com" title="Muddoo Home">Muddoo</a>

From the above, we note that an anchor tag starts and ends between notations like <a> and </a>. In other words, HTML anchor tags have both opening and closing tags. Text between this opening and closing tags is called the anchor text and is responsible for taking the user to a new document upon being clicked. In the above example, “Muddoo” is the anchor text.

But where does the user go on clicking the Anchor text? This is determined by the href attribute of the HTML anchor tag. The url in the href attribute of anchor tag is the destination web page’s address where the user will be taken to.

In addition to href attribute, the HTML anchor tag also has another attribute called “title”. The title attribute of the HTML anchor tag holds a piece of text that the user will see upon hovered over by the mouse. It is also helpful as an accessibility feature for people using screen readers as it gets read out by the screen readers.

Finally, there are also a few other attributes such as “target” attribute which provides additional functions such as determining if the destination web page is to be opened in the same window or a new window. These type of additional attributes can be looked upon in the official w3c html specification document.

But all in all, the Anchor tags are the fundamental elements of the world wide web that weaves the inter-connected paths between various web documents that helps the web users to seamlessly navigate between various websites and documents without any hassles.

Hope this gave a brief introduction to the HTML anchor tags. HTM Anchor tags are tags that are going to be used regularly while creating a HTML web page so having a clear understanding of its structure and how it works becomes essential. In the same line, I will continue to document more about other HTML tags in the future that are bare essential for web development.

Until then, happy coding!

Tags Front End Development, HTML, HTML Anchor Tag, HTML Tags, Web Development