Difference between revisions of "Forced browsing"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
{Template:Stub}
 
{Template:Stub}
  
==Threat Description==
+
==Attack Description==
  
blah blah blah
+
Forced browsing is a technique used by attackers to gain access to resources that are not referenced, but are nevertheless accessible.
  
==Attack Scenario==
+
One technique is to manipulate the URL in the browser by deleting sections from the end until an unprotected directory is found. A related technique is to use a scanning tool like [[nikto]] to request common directories until a hidden file or directory is found.
  
blah blah blah
+
Another technique is to use manual penetration testing to attempt access to resources that are not referenced in the application. For example, an attacker might use [[WebScarab]] to change request parameters that specify the target resource.
 
+
==Likelihood Considerations==
+
 
+
blah blah blah
+
 
+
==Impact Considerations==
+
 
+
blah blah blah
+
 
+
==Overall Severity==
+
 
+
blah blah blah
+
 
+
==Countermeasures==
+
 
+
blah blah blah
+
  
 
==Related Threats==
 
==Related Threats==
  
blah blah blah
+
==Related Vulnerabilities==
 
+
==References==
+
  
blah blah blah
+
[[Failure to verify authorization]]
 +
[[Failure to disable directory listings]]
  
 
==Categories==
 
==Categories==

Revision as of 19:37, 27 May 2006

{Template:Stub}

Attack Description

Forced browsing is a technique used by attackers to gain access to resources that are not referenced, but are nevertheless accessible.

One technique is to manipulate the URL in the browser by deleting sections from the end until an unprotected directory is found. A related technique is to use a scanning tool like nikto to request common directories until a hidden file or directory is found.

Another technique is to use manual penetration testing to attempt access to resources that are not referenced in the application. For example, an attacker might use WebScarab to change request parameters that specify the target resource.

Related Threats

Related Vulnerabilities

Failure to verify authorization Failure to disable directory listings

Categories