Exploring JavaScript and the DOM from the console

The web console provides a convenient way to explore the DOM via a command line interface. In Firefox, you can open the console with CTRL-SHIFT-K or under Tools -> Web Developer -> Web Console.

This exercise assumes you have opened this page in a new tab by clicking on the button at the bottom of demo_DOM.html

Open the web console and type the following commands:

  1. window
    This is the JavaScript object that represent the current window.
  2. window.location
    This is the JavaScript object that represent the location of the current window.
  3. window.location.host
    This returns the domain of the current location as a JavaScript string.
  4. window.location.href
    This returns the entire URL of the current location as a JavaScript string.
  5. window.opener
    Here window.opener refers to the 'parent' window that opened the current page. It is of the same type as window, so it has the same properties. Accessing them, however, can give SecurityErrors if access is disallowed by the Single-Origin Policy. For instance, try out
  6. Surprisingly enough, even though we do not have permission to read the properties of the parent window, we do have permission to set its location:

    window.opener.location = 'https://mafia.org'

    The possibility to change the location of the parent window can be exploited for phishing purposes: a new tab can change the location of the parent window and make it load some phishing webpage, for example a webpage that looks like a Google login page. Careless users may not notice that an old tab has loaded a new webpage: they will typically trust the tabs they had already opened. And because sometimes old tabs will require that you log in again, because some session has expired, they may not be surprised that they have to re-new their login.

    This attack is called reverse tabnabbing. It is a variant of an earlier attack, that was called tabnabbing. Understanding how (reverse) tabnabbing works is not part of the exam material, but if you're curious, read this blog post by Brian Krebbs about tabnabbing. Following the blog of Brian Krebbs is a great way to keep up with current attack trends. He is a renowned security researcher and reporter who has been responsible for breaking many interesting security news stories.