This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Forced browsing"
(→Related Vulnerabilities) |
(→Attack Description) |
||
| Line 5: | Line 5: | ||
Forced browsing is a technique used by attackers to gain access to resources that are not referenced, but are nevertheless accessible. | Forced browsing is a technique used by attackers to gain access to resources that are not referenced, but are nevertheless accessible. | ||
| − | One technique is to manipulate the URL in the browser by deleting sections from the end until an unprotected directory is found. A related technique is to use a scanning tool like [[nikto]] to request common directories until a hidden file or directory is found. | + | One technique is to manipulate the URL in the browser by deleting sections from the end until an unprotected directory is found. A related technique is to use a scanning tool like [http://www.ngolde.de/w3bfukk0r.html w3bfukk0r] or [[nikto]] to request common directories until a hidden file or directory is found. |
Another technique is to use manual penetration testing to attempt access to resources that are not referenced in the application. For example, an attacker might use [[WebScarab]] to change request parameters that specify the target resource. | Another technique is to use manual penetration testing to attempt access to resources that are not referenced in the application. For example, an attacker might use [[WebScarab]] to change request parameters that specify the target resource. | ||
Revision as of 17:19, 15 July 2007
- This is an Attack. To view all attacks, please see the Attack Category page.
Attack Description
Forced browsing is a technique used by attackers to gain access to resources that are not referenced, but are nevertheless accessible.
One technique is to manipulate the URL in the browser by deleting sections from the end until an unprotected directory is found. A related technique is to use a scanning tool like w3bfukk0r or nikto to request common directories until a hidden file or directory is found.
Another technique is to use manual penetration testing to attempt access to resources that are not referenced in the application. For example, an attacker might use WebScarab to change request parameters that specify the target resource.
Related Threats
Related Vulnerabilities
Failure to verify authorization
Failure to disable directory listings
Related Countermeasures
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.
