ZAP Not Reporting 10108 Reverse Tabnabbing

12 views
Skip to first unread message

Bryan Fish

unread,
Apr 1, 2026, 6:01:41 PM (2 days ago) Apr 1
to ZAP User Group
I'm comparing scan results between Qualys WAS and ZAP.  Qualys reported Tabnabbing vulnerability, I assume because the page includes several links like this one:

<a class="dropdown-item" href="https://vimeo.com/nnnnn" target="_blank">Help Video</a>

I was also expecting an alert for 10108 Reverse Tabnabbing on ZAP, but it's not showing up.  Zap and Add-ons are up to date, and I've set the threshold for that rule to Low, Med, and High and I'm still not seeing the alert.

Any suggestions?  Thanks! 

Simon Bennetts

unread,
Apr 2, 2026, 12:51:15 PM (yesterday) Apr 2
to ZAP User Group
Hiya Bryan,

You should tell Qualys to update their rules :D

Modern browsers have an implicit rel="noopener" for "_blank" targets. The link you quoted to is safe from tabnabbing, which is why ZAP does not report it.
The only danger is if the "rel" attribute contains "opener" and not "noopener", so thats what ZAP checks for.

Cheers,

Simon

Bryan Fish

unread,
Apr 2, 2026, 1:07:16 PM (yesterday) Apr 2
to ZAP User Group
Hi Simon,

Thanks for the response, that makes a lot of sense.

>> You should tell Qualys to update their rules :D
That's both true and funny :)  

Thanks,
Bryan
Reply all
Reply to author
Forward
0 new messages