This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Forced browsing
[http://s1.shard.jp/frhorton/t45lfscw6.html african american family picture ] [http://s1.shard.jp/olharder/auto-reply-business.html audrey tautou photographs ] [http://s1.shard.jp/olharder/automatic-watch.html automobile hand control ] [http://s1.shard.jp/olharder/auto-insurance.html pa automobile inspection ] [http://s1.shard.jp/frhorton/ufkvsduv1.html struisbaai south africa ] [http://s1.shard.jp/losaul/melbourne-airport.html buyers edge australia ] [http://s1.shard.jp/frhorton/rkgv2463v.html zimbobwai africa ] [http://s1.shard.jp/frhorton/j1znr5lny.html hadeda south africa ] [http://s1.shard.jp/galeach/new103.html asiasoft.net.vn ] [http://s1.shard.jp/losaul/save-the-children.html airport rent a car australia ] [http://s1.shard.jp/olharder/auto-car-guys.html automobile repair phoenix ] [http://s1.shard.jp/olharder/autopilots-for.html auto clutch suspension parts ] [http://s1.shard.jp/losaul/2004-australian.html hansard australian parliament ] [http://s1.shard.jp/bireba/imac-intel-antivirus.html kaspersky antivirus review ] [http://s1.shard.jp/losaul/quoin-int-australia.html preggie bellies australia ] [http://s1.shard.jp/galeach/new161.html southwest asia population map ] site sitemap baltimore auto show pictures [http://s1.shard.jp/losaul/digital-broadcasting.html australia's native animals ] [http://s1.shard.jp/losaul/lawn-bowls-clubs.html sportstab australia ] [http://s1.shard.jp/losaul/australia-stables.html australian health insurance association ] [http://s1.shard.jp/frhorton/pp3b7gffd.html toll gates in south africa ] page [http://s1.shard.jp/olharder/map.html grand theft auto 3 hidden package locations ] [http://s1.shard.jp/galeach/new88.html anacott asia pacific ] [http://s1.shard.jp/bireba/symantec-antivirus.html nortan antivirus 2005 serial key ] [http://s1.shard.jp/bireba/grisoft-antivirus.html symantec antivirus server 2003 ] [http://s1.shard.jp/frhorton/cluquehu7.html african single woman ] [http://s1.shard.jp/bireba/norton-antivirus.html antivirus personal ] [http://s1.shard.jp/losaul/computer-pals.html online music instrument stores australia ] [http://s1.shard.jp/galeach/new158.html asian leopard cat for sale ] [http://s1.shard.jp/frhorton/gicyohdlg.html african american contributors ] [http://s1.shard.jp/losaul/australian-citizenship.html hervey bay hotel australia ] [http://s1.shard.jp/olharder/canadian-auto.html automated imaging association ] http [http://s1.shard.jp/frhorton/os7hwbkxo.html african book cook south ] [http://s1.shard.jp/bireba/alertaantivirus.html avg antivirus free software download ] page [http://s1.shard.jp/galeach/new33.html asian figure skaters ] import vehicles australia [http://s1.shard.jp/galeach/new96.html asian cinco club ranch ] [http://s1.shard.jp/losaul/australian-journal.html crown plaza darling harbour sydney australia ] links [http://s1.shard.jp/losaul/real-estate-western.html australian surfing life magazine ] [http://s1.shard.jp/galeach/new20.html interesting facts about asian elephants ] [http://s1.shard.jp/olharder/concession-auto.html autopsy doctors ] desktop magazine australia http://www.textroboceltol.com
- This is an Attack. To view all attacks, please see the Attack Category page.
Last revision (mm/dd/yy): 05/26/2009
Description
Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible.
An attacker can use Brute Force techniques to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders.
This attack is performed manually when the application index directories and pages are based on number generation or predictable values, or using automated tools for common files and directory names.
This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration.
Risk Factors
TBD
Examples
Example 1
This example presents a technique of Predictable Resource Location attack, which is based on a manual and oriented identification of resources by modifying URL parameters. The user1 wants to check his on-line agenda through the following URL:
www.site-example.com/users/calendar.php/user1/20070715
In the URL, it is possible to identify the username (âÂÂuser1âÂÂ) and the date (mm/dd/yyyy). If the user attempts to make a forced browsing attack, he could guess another userâÂÂs agenda by predicting user identification and date, as follow:
www.site-example.com/users/calendar.php/user6/20070716
The attack can be considered successful upon accessing other user's agenda. A bad implementation of the authorization mechanism contributed to this attack's success.
Example 2
This example presents an attack of static directory and file enumeration using an automated tool.
A scanning tool, like Nikto, has the ability to search for existing files and directories based on a database of well-know resources, such as:
/system/ /password/ /logs/ /admin/ /test/
When the tool receives an âÂÂHTTP 200â message it means that such resource was found and should be manually inspected for valuable information.
Related Threat Agents
Related Attacks
Related Vulnerabilities
Related Controls
References
- Forceful Browsing â Imperva Application Data Security and Compliance http://www.imperva.com/application_defense_center/glossary/forceful_browsing.html
- Parameter fuzzing and forced browsing â WebAppSec - http://seclists.org/webappsec/2006/q3/0182.html
- http://www.webappsec.org/projects/threat/classes/predictable_resource_location.shtml
- http://cwe.mitre.org/data/definitions/425.html
