Difference between revisions of "Forced browsing"

Revision as of 23:44, 17 July 2006

This is an Attack. To view all attacks, please see the Attack Category page.

Attack Description

Forced browsing is a technique used by attackers to gain access to resources that are not referenced, but are nevertheless accessible.

One technique is to manipulate the URL in the browser by deleting sections from the end until an unprotected directory is found. A related technique is to use a scanning tool like nikto to request common directories until a hidden file or directory is found.

Another technique is to use manual penetration testing to attempt access to resources that are not referenced in the application. For example, an attacker might use WebScarab to change request parameters that specify the target resource.

Related Threats

Related Vulnerabilities

Failure to verify authorization

Failure to disable directory listings

Related Countermeasures

Access Control

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.

Revision as of 13:04, 12 June 2006 (view source) Jeff Williams (talk \| contribs) m (Forced Browsing moved to Forced browsing) ← Older edit		Revision as of 23:44, 17 July 2006 (view source) OWASP (talk \| contribs) (→‎Related Vulnerabilities) Newer edit →
Line 14:		Line 14:

	[[Failure to verify authorization]]		[[Failure to verify authorization]]
		+
	[[Failure to disable directory listings]]		[[Failure to disable directory listings]]

Difference between revisions of "Forced browsing"

Revision as of 23:44, 17 July 2006

Attack Description

Related Threats

Related Vulnerabilities

Related Countermeasures

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools