Description

The OWTF website (https://owtf.github.io/) has several issues with external links:

1. Some links may be broken or point to outdated URLs
2. External links lack rel="noopener noreferrer" security attributes
3. External links don't open in new tabs consistently
4. No visual indication that links are external

Current Behavior

1. Missing Security Attributes

External links that use target="_blank" are missing rel="noopener noreferrer", which can lead to:

• Security vulnerability: Tabnabbing attacks (new page can access window.opener)
• Performance issues: New page runs in same process as original
• Privacy leaks: Referrer information exposed

2. Inconsistent Link Behavior

• Some external links open in same tab (user loses place)
• Some open in new tab without security attributes
• No consistent pattern for external vs internal links

3. Potentially Broken Links

Links that may need verification:

• Documentation links
• GitHub repository links
• OWASP project page links
• Social media links
• External tool references

4. No Visual Indicators

• Users can't tell which links are external
• No icon or indication before clicking
• Unexpected navigation behavior

Expected Behavior

All external links should:

• ✅ Include target="_blank" rel="noopener noreferrer"
• ✅ Have visual indicator (icon) showing they're external
• ✅ Be validated and working
• ✅ Follow consistent pattern

Security Impact

Tabnabbing Attack Example:

// Malicious page opened via target="_blank" without rel="noopener"
if (window.opener) {
  window.opener.location = 'https://phishing-site.com';
}

Without rel="noopener noreferrer", a malicious external site can:

1. Access the window.opener object
2. Redirect the original page to a phishing site
3. User returns to what looks like OWTF but is actually fake