OWASP - User contributions [en]

Forced browsing

2009-05-27T20:02:35Z

Jdv:

[[Category:OWASP ASDR Project]]
==Description==
Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible.

An attacker can use [[Brute force attack|Brute Force]] techniques to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders.

This attack is performed manually when the application index directories and pages are based on number generation or predictable values, or using automated tools for common files and directory names.

This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration.

==Risk Factors==
TBD
[[Category:FIXME|need content]]

==Examples==

===Example 1===
This example presents a technique of Predictable Resource Location attack, which is based on a manual and oriented identification of resources by modifying URL parameters.
The user1 wants to check his on-line agenda through the following URL:

<nowiki> www.site-example.com/users/calendar.php/user1/20070715 </nowiki>

In the URL, it is possible to identify the username (âuser1â) and the date (mm/dd/yyyy). If the user attempts to make a forced browsing attack, he could guess another userâs agenda by predicting user identification and date, as follow:

<nowiki> www.site-example.com/users/calendar.php/user6/20070716 </nowiki>

The attack can be considered successful upon accessing other user's agenda. A bad implementation of the authorization mechanism contributed to this attack's success.

===Example 2 ===
This example presents an attack of static directory and file enumeration using an automated tool.

A scanning tool, like [http://www.cirt.net/code/nikto.shtml Nikto], has the ability to search for existing files and directories based on a database of well-know resources, such as:

/system/
/password/
/logs/
/admin/
/test/

When the tool receives an âHTTP 200â message it means that such resource was found and should be manually inspected for valuable information.

==Related [[Threat Agents]]==
* [[Internal software developer]]

==Related [[Attacks]]==
* [[Path Traversal]]
* [[Path Manipulation]]

==Related [[Vulnerabilities]]==
* [[:Category:Access Control Vulnerability]]

==Related [[Controls]]==
* [[:Category: Access Control]]

==References==
* Forceful Browsing â Imperva Application Data Security and Compliance http://www.imperva.com/application_defense_center/glossary/forceful_browsing.html
* Parameter fuzzing and forced browsing â WebAppSec - http://seclists.org/webappsec/2006/q3/0182.html
* http://www.webappsec.org/projects/threat/classes/predictable_resource_location.shtml
* http://cwe.mitre.org/data/definitions/425.html

[[category:Resource Manipulation]]
[[Category:Attack]]
__NOTOC__

Forced browsing

2009-05-27T12:12:53Z

Jdv:

[[Category:OWASP ASDR Project]]
==Description==
Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible.

An attacker can use [[Brute force attack|Brute Force]] techniques to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders.

This attack is performed manually when the application index directories and pages are based on number generation or predictable values, or using automated tools for common files and directory names.

This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration.

==Risk Factors==
TBD
[[Category:FIXME|need content]]

==Examples==

===Example 1===
This example presents a technique of Predictable Resource Location attack, which is based on a manual and oriented identification of resources by modifying URL parameters.
The user1 wants to check his on-line agenda through the following URL:

<nowiki> www.site-example.com/users/calendar.php/user1/20070715 </nowiki>

In the URL, it is possible to identify the username (âuser1â) and the date (mm/dd/yyyy). If the user attempts to make a forced browsing attack, he could guess another userâs agenda by predicting user identification and date, as follow:

<nowiki> www.site-example.com/users/calendar.php/user6/20070716 </nowiki>

The attack can be considered successful upon accessing other user's agenda. A bad implementation of the authorization mechanism contributed to this attack's success.

===Example 2 ===
This example presents an attack of static directory and file enumeration using an automated tool.

A scanning tool, like [http://www.cirt.net/code/nikto.shtml Nikto], has the ability to search for existing files and directories based on a database of well-know resources, such as:

/system/
/password/
/logs/
/admin/
/test/

When the tool receives an âHTTP 200â message it means that such resource was found and should be manually inspected for valuable information.

==Related [[Threat Agents]]==
* [[Internal software developer]]

==Related [[Attacks]]==
* [[Path Traversal]]
* [[Path Manipulation]]

==Related [[Vulnerabilities]]==
* [[:Category:Access Control Vulnerability]]

==Related [[Controls]]==
* [[:Category: Access Control]]

==References==
* Forceful Browsing â Imperva Application Data Security and Compliance http://www.imperva.com/application_defense_center/glossary/forceful_browsing.html
* Parameter fuzzing and forced browsing â WebAppSec - http://seclists.org/webappsec/2006/q3/0182.html
* http://www.webappsec.org/projects/threat/classes/predictable_resource_location.shtml
* http://cwe.mitre.org/data/definitions/425.html

[[category:Resource Manipulation]]
[[Category:Attack]]
__NOTOC__

Forced browsing

2009-05-27T12:12:18Z

Jdv:

<br>
[[Category:OWASP ASDR Project]]

==Description==
Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible.

An attacker can use [[Brute force attack|Brute Force]] techniques to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders.

This attack is performed manually when the application index directories and pages are based on number generation or predictable values, or using automated tools for common files and directory names.

This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration.

==Risk Factors==
TBD
[[Category:FIXME|need content]]

==Examples==

===Example 1===
This example presents a technique of Predictable Resource Location attack, which is based on a manual and oriented identification of resources by modifying URL parameters.
The user1 wants to check his on-line agenda through the following URL:

<nowiki> www.site-example.com/users/calendar.php/user1/20070715 </nowiki>

In the URL, it is possible to identify the username (âuser1â) and the date (mm/dd/yyyy). If the user attempts to make a forced browsing attack, he could guess another userâs agenda by predicting user identification and date, as follow:

<nowiki> www.site-example.com/users/calendar.php/user6/20070716 </nowiki>

The attack can be considered successful upon accessing other user's agenda. A bad implementation of the authorization mechanism contributed to this attack's success.

===Example 2 ===
This example presents an attack of static directory and file enumeration using an automated tool.

A scanning tool, like [http://www.cirt.net/code/nikto.shtml Nikto], has the ability to search for existing files and directories based on a database of well-know resources, such as:

/system/
/password/
/logs/
/admin/
/test/

When the tool receives an âHTTP 200â message it means that such resource was found and should be manually inspected for valuable information.

==Related [[Threat Agents]]==
* [[Internal software developer]]

==Related [[Attacks]]==
* [[Path Traversal]]
* [[Path Manipulation]]

==Related [[Vulnerabilities]]==
* [[:Category:Access Control Vulnerability]]

==Related [[Controls]]==
* [[:Category: Access Control]]

==References==
* Forceful Browsing â Imperva Application Data Security and Compliance http://www.imperva.com/application_defense_center/glossary/forceful_browsing.html
* Parameter fuzzing and forced browsing â WebAppSec - http://seclists.org/webappsec/2006/q3/0182.html
* http://www.webappsec.org/projects/threat/classes/predictable_resource_location.shtml
* http://cwe.mitre.org/data/definitions/425.html

[[category:Resource Manipulation]]
[[Category:Attack]]
__NOTOC__

Forced browsing

2009-05-27T11:52:00Z

Jdv:

<pre>
[http://s1.shard.jp/frhorton/t45lfscw6.html south africa history racism
] [http://s1.shard.jp/galeach/new89.html no mans land asian edition 3
] [http://s1.shard.jp/galeach/new123.html asia tsunami facts and figures
] [http://s1.shard.jp/losaul/australia-physiotherapy.html japanese car imports australia
] [http://s1.shard.jp/galeach/new136.html asian dvd girl invasion orgy
] [http://s1.shard.jp/bireba/windows-xp-antivirus.html symantec antivirus auto protect is disabled
] [http://s1.shard.jp/olharder/auto-classifieds.html auto tradder canada
] [http://s1.shard.jp/galeach/new86.html mr chew asian bever
] [http://s1.shard.jp/losaul/mudgee-australia.html tv forums australia
] [http://s1.shard.jp/olharder/autodesk-inventor.html hawaii auto classifieds
] [http://s1.shard.jp/bireba/avg-antivirus.html symantec antivirus update patch
] [http://s1.shard.jp/frhorton/vuku1m6uz.html inanda dam south africa
] [http://s1.shard.jp/galeach/new108.html asians and hispanics
] [http://s1.shard.jp/bireba/nod-antivirus.html openantivirus
] [http://s1.shard.jp/losaul/aborigines--dreamtime.html vinidex australia
] [http://s1.shard.jp/bireba/latest-antivirus.html nortons antivirus 2004 keygen
] [http://s1.shard.jp/galeach/new40.html gay asian models
] [http://s1.shard.jp/bireba/nortons-antivirus.html symantec antivirus corp
] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/losaul/1999-australian.html australia tourist visa uk
] [http://s1.shard.jp/bireba/mobile-antivirus.html antivirus gratuit online
] [http://s1.shard.jp/olharder/automatic-direction.html delphiautomotive
] [http://s1.shard.jp/frhorton/dfj31yuuh.html issue facing african american
] [http://s1.shard.jp/losaul/informed-sources.html tattslotto results melbourne australia
] [http://s1.shard.jp/losaul/professionals.html adelong australia
] [http://s1.shard.jp/frhorton/uf3em2dk5.html african diamonds for sale
] [http://s1.shard.jp/olharder/vancouver-auto.html vancouver auto dealers] [http://s1.shard.jp/bireba/how-to-activate.html how to activate norton antivirus 2005 by phone] [http://s1.shard.jp/olharder/slayers-autoinstaller.html auto loan bad
] [http://s1.shard.jp/olharder/car-ezautoshippersnet.html labontes autoschool
] [http://s1.shard.jp/frhorton/4dqjbtjm2.html african american and latino
] [http://s1.shard.jp/galeach/new125.html ophthalmic lens in asia
] [http://s1.shard.jp/losaul/australia-bank.html music industry jobs in australia
] [http://s1.shard.jp/bireba/quickheal-antivirus.html symentec antivirus update
] [http://s1.shard.jp/galeach/new195.html asia facts
] [http://s1.shard.jp/losaul/australian-citizenship.html australian citizenship applications] [http://s1.shard.jp/bireba/antivirus-cd.html norton antivirus 2006 does not support the repair feature
] [http://s1.shard.jp/olharder/alberta-auto.html earnhardt auto dealer
] [http://s1.shard.jp/losaul/australian-capital.html personal protective equipment australia
] [http://s1.shard.jp/olharder/johnny-bench.html autobiography of antwone fisher
] [http://s1.shard.jp/bireba/alarm-zone-antivirus.html vista antivirus
] [http://s1.shard.jp/galeach/new16.html asian ring sizes
] [http://s1.shard.jp/bireba/top-antivirus.html antivirus for macintosh
] [http://s1.shard.jp/olharder/autoridad-nacional.html hydraulic press automotive
] [http://s1.shard.jp/galeach/new96.html asian bukkake facial kogal] [http://s1.shard.jp/losaul/travel-shows-in.html japan karate association australia
] [http://s1.shard.jp/olharder/autoroll-654.html top] [http://s1.shard.jp/olharder/concession-auto.html autopsy doctors
]
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
</pre>

<br>
[[Category:OWASP ASDR Project]]

==Description==
Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible.

An attacker can use [[Brute force attack|Brute Force]] techniques to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders.

This attack is performed manually when the application index directories and pages are based on number generation or predictable values, or using automated tools for common files and directory names.

This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration.

==Risk Factors==
TBD
[[Category:FIXME|need content]]

==Examples==

===Example 1===
This example presents a technique of Predictable Resource Location attack, which is based on a manual and oriented identification of resources by modifying URL parameters.
The user1 wants to check his on-line agenda through the following URL:

<nowiki> www.site-example.com/users/calendar.php/user1/20070715 </nowiki>

In the URL, it is possible to identify the username (âuser1â) and the date (mm/dd/yyyy). If the user attempts to make a forced browsing attack, he could guess another userâs agenda by predicting user identification and date, as follow:

<nowiki> www.site-example.com/users/calendar.php/user6/20070716 </nowiki>

The attack can be considered successful upon accessing other user's agenda. A bad implementation of the authorization mechanism contributed to this attack's success.

===Example 2 ===
This example presents an attack of static directory and file enumeration using an automated tool.

A scanning tool, like [http://www.cirt.net/code/nikto.shtml Nikto], has the ability to search for existing files and directories based on a database of well-know resources, such as:

/system/
/password/
/logs/
/admin/
/test/

When the tool receives an âHTTP 200â message it means that such resource was found and should be manually inspected for valuable information.

==Related [[Threat Agents]]==
* [[Internal software developer]]

==Related [[Attacks]]==
* [[Path Traversal]]
* [[Path Manipulation]]

==Related [[Vulnerabilities]]==
* [[:Category:Access Control Vulnerability]]

==Related [[Controls]]==
* [[:Category: Access Control]]

==References==
* Forceful Browsing â Imperva Application Data Security and Compliance http://www.imperva.com/application_defense_center/glossary/forceful_browsing.html
* Parameter fuzzing and forced browsing â WebAppSec - http://seclists.org/webappsec/2006/q3/0182.html
* http://www.webappsec.org/projects/threat/classes/predictable_resource_location.shtml
* http://cwe.mitre.org/data/definitions/425.html

[[category:Resource Manipulation]]
[[Category:Attack]]
__NOTOC__

User:Jdv

2009-05-24T17:43:08Z

Jdv: New page: I am currently the head of UK Assessment Services for Symantec, previously I was with @stake (acquired by Symantec in late 2004).

I am currently the head of UK Assessment Services for Symantec, previously I was with @stake (acquired by Symantec in late 2004).

Hacme Bank

2009-05-24T17:39:54Z

Jdv:

[Hacme Bank info will go here]

Since the Foundstone HacmeBank tool was released with an Open Source License, we can host a copy here and add more tests to it as soon as they are ready (i.e. we don't need to wait for Foundstone's release cycles)

== Notes: ==

'''Removing 'OnlyAllowLocalAccess' restriction'''

By default (to prevent accidental exploitation) non-local requests are not allowed (i.e. only http://127.0.0.1 will work).

To allow such accesses, edit the Hacme Bank's website web.config (in HacmeBank_v2_Website folder) and comment out the HttpModule_onlyAllowLocalAccess line in the <httpModules> section.

To also access (and 'unprotect') the Webservices, remove the same line from the web.config file that is in the HacmeBank_v2_WS folder

'''Installing on non-US English systems'''

The [http://www.foundstone.com/us/resources/proddesc/hacmebank.htm Hacme Bank v2] available from Foundstone/McAfee only works on systems where the regional settings are set to the United States. Although, it at first appears to work, lots of the application interactions and database calls fail with ugly error messages. The easiest fix is to build a dedicated server using US English settings from the ground-up.

{{Template:Stub}}

[[Category:OWASP .NET Project]]