Need help with windowHijacking?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

123 Stars 27 Forks GNU General Public License v2.0 10 Commits 0 Opened issues


A demo of altering an opened tab after a timer

Services available


Need anything else?

Contributors list

# 13,176
4 commits
# 619,807
1 commit

Window hijacking

This is a demonstration of a website opening a new tab after a link is clicked, and then after a timer of any length, while the user is on the new page, changing the location of that new page.


It's known that setting a tag with a target attribute as _blank has security risks:

This is because the newly opened page has the ability to change the window location of the page that opened it, with the following:

window.opener.location = ""

However this demonstration shows a website has the ability create a new page in a new tab, and then change the location of the newly created page after an arbitrary period of time has passed. This can be achieved as follows

Open Window!

In the above example, a new window is opened when the button is pressed, and 5 minutes later, the new window will change locations. Even if the new tab is changed to another website, or refreshed, the original website can still change the location


Users may be tricked into clicking links that are innocent, but change to be malicious after an arbitrary period of time. For example, a link to may take a user to facebook, however after an arbitrary period of time, the tab may change to and present a user with a fraudulent cloned login page to steal credentials.

Demo 1

In this example, a legitimate login page is linked, and the timer is set to 5 seconds. When the timer expires, the legitimate login page is changed to an illegitimate login page which has a keylogger installed on it.

Demo 2

In this secondary example, the attack is combined with Pastejacking. A legitimate question is linked. After being opened, a 5 second timer will change the location of the legitimate serverfault website to a malicious clone of the original serverfault page, with pastejacking code installed. This causes any user who tries to copy the answer to get "cat /etc/passwd\n" injected into their clipboard.

Other considerations

When performing this attack, the opened page also has the ability to also change the location of the parent page. This can be accomplished by the same window.opener method shown above for _blank links. This can be used to stop JavaScript timers on parent pages.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.