Forced browsing

african american family picture audrey tautou photographs automobile hand control pa automobile inspection struisbaai south africa buyers edge australia zimbobwai africa hadeda south africa asiasoft.net.vn airport rent a car australia automobile repair phoenix auto clutch suspension parts hansard australian parliament kaspersky antivirus review preggie bellies australia southwest asia population map site sitemap baltimore auto show pictures australia's native animals sportstab australia australian health insurance association toll gates in south africa page grand theft auto 3 hidden package locations anacott asia pacific nortan antivirus 2005 serial key symantec antivirus server 2003 african single woman antivirus personal online music instrument stores australia asian leopard cat for sale african american contributors hervey bay hotel australia automated imaging association http african book cook south avg antivirus free software download page asian figure skaters import vehicles australia asian cinco club ranch crown plaza darling harbour sydney australia links australian surfing life magazine interesting facts about asian elephants autopsy doctors desktop magazine australia http://www.textroboceltol.com

Last revision (mm/dd/yy): //

Description
Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible.

An attacker can use Brute Force techniques to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders. This attack is performed manually when the application index directories and pages are based on number generation or predictable values, or using automated  tools for common files and directory names.

This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration.

Risk Factors
TBD

Example 1
This example presents a technique of Predictable Resource Location attack, which is based on a manual and oriented identification of resources by modifying URL parameters. The user1 wants to check his on-line agenda through the following URL:

www.site-example.com/users/calendar.php/user1/20070715

In the URL, it is possible to identify the username (Ã¢ÂÂuser1Ã¢ÂÂ) and the date (mm/dd/yyyy). If the user attempts to make a forced browsing attack, he could guess another userÃ¢ÂÂs agenda by predicting user identification and date, as follow:

www.site-example.com/users/calendar.php/user6/20070716

The attack can be considered successful upon accessing other user's agenda. A bad implementation of the authorization mechanism contributed to this attack's success.

Example 2
This example presents an attack of static directory and file enumeration using an automated tool.

A scanning tool, like Nikto, has the ability to search for existing files and directories based on a database of well-know resources, such as:

/system/ /password/ /logs/ /admin/ /test/

When the tool receives an Ã¢ÂÂHTTP 200Ã¢ÂÂ message it means that such resource was found and should be manually inspected for valuable information.

Related Threat Agents

 * Internal software developer

Related Attacks

 * Path Traversal
 * Path Manipulation

Related Vulnerabilities

 * Category:Access Control Vulnerability

Related Controls

 * Category: Access Control