Forced browsing

Revision as of 04:00, 27 May 2009 by Deleted user (talk | contribs)

Jump to: navigation, search

[ south africa history racism ] [ no mans land asian edition 3 ] [ asia tsunami facts and figures ] [ japanese car imports australia ] [ asian dvd girl invasion orgy ] [ symantec antivirus auto protect is disabled ] [ auto tradder canada ] [ mr chew asian bever ] [ tv forums australia ] [ hawaii auto classifieds ] [ symantec antivirus update patch ] [ inanda dam south africa ] [ asians and hispanics ] [ openantivirus ] [ vinidex australia ] [ nortons antivirus 2004 keygen ] [ gay asian models ] [ symantec antivirus corp ] page [ australia tourist visa uk ] [ antivirus gratuit online ] [ delphiautomotive ] [ issue facing african american ] [ tattslotto results melbourne australia ] [ adelong australia ] [ african diamonds for sale ] vancouver auto dealers how to activate norton antivirus 2005 by phone [ auto loan bad ] [ labontes autoschool ] [ african american and latino ] [ ophthalmic lens in asia ] [ music industry jobs in australia ] [ symentec antivirus update ] [ asia facts ] australian citizenship applications [ norton antivirus 2006 does not support the repair feature ] [ earnhardt auto dealer ] [ personal protective equipment australia ] [ autobiography of antwone fisher ] [ vista antivirus ] [ asian ring sizes ] [ antivirus for macintosh ] [ hydraulic press automotive ] asian bukkake facial kogal [ japan karate association australia ] top [ autopsy doctors ] Last revision (mm/dd/yy): 05/27/2009


Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible.

An attacker can use Brute Force techniques to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders.

This attack is performed manually when the application index directories and pages are based on number generation or predictable values, or using automated tools for common files and directory names.

This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration.

Risk Factors



Example 1

This example presents a technique of Predictable Resource Location attack, which is based on a manual and oriented identification of resources by modifying URL parameters. The user1 wants to check his on-line agenda through the following URL: 

In the URL, it is possible to identify the username (“user1”) and the date (mm/dd/yyyy). If the user attempts to make a forced browsing attack, he could guess another user’s agenda by predicting user identification and date, as follow: 

The attack can be considered successful upon accessing other user's agenda. A bad implementation of the authorization mechanism contributed to this attack's success.

Example 2

This example presents an attack of static directory and file enumeration using an automated tool.

A scanning tool, like Nikto, has the ability to search for existing files and directories based on a database of well-know resources, such as:


When the tool receives an “HTTP 200” message it means that such resource was found and should be manually inspected for valuable information.

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls