Difference between revisions of "Forced browsing"

From OWASP
Jump to: navigation, search
m (Reverted edits by Sk9 (Talk); changed back to last version by OWASP)
(Risk Factors)
 
(36 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{Template:Attack}}
+
[[Category:OWASP ASDR Project]]
 +
==Description==
 +
Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible.
  
==Attack Description==
+
An attacker can use [[Brute force attack|Brute Force]] techniques to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders.
 +
 +
This attack is performed manually when the application index directories and pages are based on number generation or predictable values,  or using automated  tools for common files and directory names.
  
Forced browsing is a technique used by attackers to gain access to resources that are not referenced, but are nevertheless accessible.
+
This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration.
  
One technique is to manipulate the URL in the browser by deleting sections from the end until an unprotected directory is found. A related technique is to use a scanning tool like [[nikto]] to request common directories until a hidden file or directory is found.
+
<!--==Risk Factors==
 +
TBD-->
 +
[[Category:FIXME|need content]]
  
Another technique is to use manual penetration testing to attempt access to resources that are not referenced in the application. For example, an attacker might use [[WebScarab]] to change request parameters that specify the target resource.
+
==Examples==
  
==Related Threats==
+
===Example 1===
 +
This example presents a technique of Predictable Resource Location attack, which is based on a manual and oriented identification of resources by modifying URL parameters.
 +
The user1 wants to check his on-line agenda through the following URL:
  
==Related Vulnerabilities==
+
<nowiki> www.site-example.com/users/calendar.php/user1/20070715 </nowiki>
  
[[Failure to verify authorization]]
+
In the URL, it is possible to identify the username (“user1”) and the date (mm/dd/yyyy). If the user attempts to make a forced browsing attack, he could guess another user’s agenda by predicting user identification and date, as follow:
  
[[Failure to disable directory listings]]
+
<nowiki> www.site-example.com/users/calendar.php/user6/20070716 </nowiki>
  
==Related Countermeasures==
+
The attack can be considered successful upon accessing other user's agenda. A bad implementation of the authorization mechanism contributed to this attack's success.
  
[[:Category:Access Control | Access Control]]
+
===Example 2 ===
 +
This example presents  an attack of static directory and file enumeration using an automated tool.
  
{{Template:Stub}}
+
A scanning tool, like [http://www.cirt.net/code/nikto.shtml Nikto], has the ability to search for existing files and directories based on a database of well-know resources, such as:
  
 +
/system/
 +
/password/
 +
/logs/
 +
/admin/
 +
/test/
 +
 +
When the tool receives an “HTTP 200” message it means that such resource was found and should be manually inspected for valuable information.
 +
 +
==Related [[Threat Agents]]==
 +
* [[Internal software developer]]
 +
 +
==Related [[Attacks]]==
 +
* [[Path Traversal]]
 +
* [[Path Manipulation]]
 +
 +
==Related [[Vulnerabilities]]==
 +
* [[:Category:Access Control Vulnerability]]
 +
 +
==Related [[Controls]]==
 +
* [[:Category: Access Control]]
 +
 +
==References==
 +
* Forceful Browsing – Imperva Application Data Security and Compliance http://www.imperva.com/application_defense_center/glossary/forceful_browsing.html
 +
* Parameter fuzzing and forced browsing – WebAppSec - http://seclists.org/webappsec/2006/q3/0182.html
 +
* http://www.webappsec.org/projects/threat/classes/predictable_resource_location.shtml
 +
* http://cwe.mitre.org/data/definitions/425.html
 +
 +
 +
[[category:Resource Manipulation]]
 
[[Category:Attack]]
 
[[Category:Attack]]
 +
__NOTOC__

Latest revision as of 15:24, 2 October 2009

Description

Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible.

An attacker can use Brute Force techniques to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders.

This attack is performed manually when the application index directories and pages are based on number generation or predictable values, or using automated tools for common files and directory names.

This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration.

Examples

Example 1

This example presents a technique of Predictable Resource Location attack, which is based on a manual and oriented identification of resources by modifying URL parameters. The user1 wants to check his on-line agenda through the following URL:

 www.site-example.com/users/calendar.php/user1/20070715 

In the URL, it is possible to identify the username (“user1”) and the date (mm/dd/yyyy). If the user attempts to make a forced browsing attack, he could guess another user’s agenda by predicting user identification and date, as follow:

 www.site-example.com/users/calendar.php/user6/20070716 

The attack can be considered successful upon accessing other user's agenda. A bad implementation of the authorization mechanism contributed to this attack's success.

Example 2

This example presents an attack of static directory and file enumeration using an automated tool.

A scanning tool, like Nikto, has the ability to search for existing files and directories based on a database of well-know resources, such as:

/system/
/password/
/logs/
/admin/
/test/

When the tool receives an “HTTP 200” message it means that such resource was found and should be manually inspected for valuable information.

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

References