This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Forced browsing"
Line 1: | Line 1: | ||
{{Template:Attack}} | {{Template:Attack}} | ||
− | == | + | ==Description== |
− | Forced browsing is | + | Forced browsing is an attack that’s aim to enumerate and access resources that are not referenced by the application, but still can be accessible. |
− | + | An attacker can use brute force techniques to search for unlinked contents in domain directory, such as temporary directories and files, old backup and configuration files. These resources may store sensitive information about web applications and operational system, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders. | |
+ | |||
+ | This attack should be performed manually when the application index directories and pages based on number generation or predictable values, or using automated tools for common files and directories names. | ||
+ | |||
+ | This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration. | ||
+ | |||
+ | |||
+ | ==Examples == | ||
+ | |||
+ | |||
+ | ===Example 1=== | ||
+ | |||
+ | This example presents a technique of Predictable Resource Location attack, which is based on a manual and oriented identification of resources by modifying URL parameters. | ||
+ | The user1 wants to check his on-line agenda that is done thru the following URL: | ||
+ | |||
+ | <nowiki> www.site-example.com/users/calendar.php/user1/20070715 </nowiki> | ||
+ | |||
+ | In the URL, it is possible to identify the username (“user1”) and the date (mm/dd/yyyy).If the user attempts to make a forced browsing attack, he could guess another user’s agenda by predicting user identification and date, as follow: | ||
+ | |||
+ | <nowiki> www.site-example.com/users/calendar.php/user6/20070716 </nowiki> | ||
+ | |||
+ | The attack can be considered successful upon accessing other user agenda. A bad implementation of the authorization mechanism also collaborated for this attack success. | ||
+ | |||
+ | |||
+ | ===Example 2 === | ||
+ | |||
+ | This example presents how to perform an attack of static directory and file enumeration using an automated tool. | ||
+ | |||
+ | A scanning tool, like [http://www.cirt.net/code/nikto.shtml | Nikto], has the ability to search for existent files and directories based on a database of well-know resources, such as: | ||
+ | |||
+ | /system/ | ||
+ | /password/ | ||
+ | /logs/ | ||
+ | /admin/ | ||
+ | /test/ | ||
+ | |||
+ | When the tool receives and “HTTP 200” message it means that such resource was found and should be manually inspected for valuable information. | ||
+ | |||
+ | |||
+ | ==External References== | ||
+ | |||
+ | *Forceful Browsing – Imperva Application Data Security and Compliance - http://www.imperva.com/application_defense_center/glossary/forceful_browsing.html | ||
+ | |||
+ | *Parameter fuzzing and forced browsing – WebAppSec - http://seclists.org/webappsec/2006/q3/0182.html | ||
+ | |||
+ | *http://www.webappsec.org/projects/threat/classes/predictable_resource_location.shtml | ||
+ | |||
+ | *http://cwe.mitre.org/data/definitions/425.html | ||
− | |||
==Related Threats== | ==Related Threats== | ||
+ | |||
+ | [[:Category: Information Disclosure]] | ||
+ | |||
+ | |||
+ | ==Related Attacks== | ||
+ | |||
+ | *[[Path Traversal]] | ||
+ | |||
+ | *[[Path Manipulation]] | ||
+ | |||
==Related Vulnerabilities== | ==Related Vulnerabilities== | ||
− | [[ | + | [[:Category:Access Control Vulnerability]] |
− | |||
==Related Countermeasures== | ==Related Countermeasures== | ||
− | [[:Category: | + | [[:Category: Access Control]] |
+ | |||
+ | ==Categories== | ||
+ | |||
{{Template:Stub}} | {{Template:Stub}} | ||
− | [[Category: | + | [[:Category:Resource Manipulation]] |
Revision as of 18:04, 27 July 2007
- This is an Attack. To view all attacks, please see the Attack Category page.
Description
Forced browsing is an attack that’s aim to enumerate and access resources that are not referenced by the application, but still can be accessible.
An attacker can use brute force techniques to search for unlinked contents in domain directory, such as temporary directories and files, old backup and configuration files. These resources may store sensitive information about web applications and operational system, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders.
This attack should be performed manually when the application index directories and pages based on number generation or predictable values, or using automated tools for common files and directories names.
This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration.
Examples
Example 1
This example presents a technique of Predictable Resource Location attack, which is based on a manual and oriented identification of resources by modifying URL parameters. The user1 wants to check his on-line agenda that is done thru the following URL:
www.site-example.com/users/calendar.php/user1/20070715
In the URL, it is possible to identify the username (“user1”) and the date (mm/dd/yyyy).If the user attempts to make a forced browsing attack, he could guess another user’s agenda by predicting user identification and date, as follow:
www.site-example.com/users/calendar.php/user6/20070716
The attack can be considered successful upon accessing other user agenda. A bad implementation of the authorization mechanism also collaborated for this attack success.
Example 2
This example presents how to perform an attack of static directory and file enumeration using an automated tool.
A scanning tool, like | Nikto, has the ability to search for existent files and directories based on a database of well-know resources, such as:
/system/ /password/ /logs/ /admin/ /test/
When the tool receives and “HTTP 200” message it means that such resource was found and should be manually inspected for valuable information.
External References
- Forceful Browsing – Imperva Application Data Security and Compliance - http://www.imperva.com/application_defense_center/glossary/forceful_browsing.html
- Parameter fuzzing and forced browsing – WebAppSec - http://seclists.org/webappsec/2006/q3/0182.html
Related Threats
Category: Information Disclosure
Related Attacks
Related Vulnerabilities
Category:Access Control Vulnerability
Related Countermeasures
Categories
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.Category:Resource Manipulation