Dark Mode
Capec-87 Detail
Forceful Browsing
Standard Software Likelihood: High Typical Severity: High
Parents: 115
Threats: T292
Tools: 3 18
An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-87 | capec | https://capec.mitre.org/data/definitions/87.html | |
| CWE-425 | cwe | http://cwe.mitre.org/data/definitions/425.html | |
| CWE-285 | cwe | http://cwe.mitre.org/data/definitions/285.html | |
| CWE-693 | cwe | http://cwe.mitre.org/data/definitions/693.html | |
| 34 | WASC | http://projects.webappsec.org/Predictable-Resource-Location | Predictable Resource Location |
| OWASP Attacks | https://owasp.org/www-community/attacks/Forced_browsing | Forced browsing |
Explore
-
Spider: Using an automated tool, an attacker follows all public links on a web site. They record all the links they find.
| Techniques |
|---|
| Use a spidering tool to follow and record all links. |
| Use a proxy tool to record all links visited during a manual traversal of the web application. |
Experiment
-
Attempt well-known or guessable resource locations: Using an automated tool, an attacker requests a variety of well-known URLs that correspond to administrative, debugging, or other useful internal actions. They record all the positive responses from the server.
| Techniques |
|---|
| Use a spidering tool to follow and record attempts on well-known URLs. |
| Use a proxy tool to record all links visited during a manual traversal of attempts on well-known URLs. |
Exploit
-
Use unauthorized resources: By visiting the unprotected resource, the attacker makes use of unauthorized functionality.
-
View unauthorized data: The attacker discovers and views unprotected sensitive data.
| Techniques |
|---|
| Access unprotected functions and execute them. |
| Techniques |
|---|
| Direct request of protected pages that directly access database back-ends. (e.g., list.jsp, accounts.jsp, status.jsp, etc.) |
- The forcibly browseable pages or accessible resources must be discoverable and improperly protected.
- None: No specialized resources are required to execute this type of attack. A directory listing is helpful, but not a requirement.
| Low |
|---|
| Forcibly browseable pages can be discovered by using a number of automated tools. Doing the same manually is tedious but by no means difficult. |
| Authorization | Access Control | Confidentiality |
|---|---|---|
| Bypass Protection Mechanism | Bypass Protection Mechanism | Read Data |
| Bypass Protection Mechanism |
- A bulletin board application provides an administrative interface at admin.aspx when the user logging in belongs to the administrators group. An attacker can access the admin.aspx interface by making a direct request to the page. Not having access to the interface appropriately protected allows the attacker to perform administrative functions without having to authenticate themself in that role.