ByteOS Network

CAPEC-87:Forceful Browsing

Attack Pattern ID:87

Version:v3.9

Attack Pattern Name:Forceful Browsing

Abstraction:Standard

Status:Draft

Likelihood of Attack:High

Typical Severity:High

Details Content History Related Weaknesses Reports

▼Description

An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.

▼Relationships

Nature	Type	ID	Name
ChildOf	M	115	Authentication Bypass

Nature: ChildOf

Type: Meta

ID: 115

Name: Authentication Bypass

▼Execution Flow

Explore

Spider

Using an automated tool, an attacker follows all public links on a web site. They record all the links they find.

Technique
Use a spidering tool to follow and record all links.
Use a proxy tool to record all links visited during a manual traversal of the web application.

Experiment

Attempt well-known or guessable resource locations

Using an automated tool, an attacker requests a variety of well-known URLs that correspond to administrative, debugging, or other useful internal actions. They record all the positive responses from the server.

Technique
Use a spidering tool to follow and record attempts on well-known URLs.
Use a proxy tool to record all links visited during a manual traversal of attempts on well-known URLs.

Exploit

Use unauthorized resources

By visiting the unprotected resource, the attacker makes use of unauthorized functionality.

Technique
Access unprotected functions and execute them.

View unauthorized data

The attacker discovers and views unprotected sensitive data.

Technique
Direct request of protected pages that directly access database back-ends. (e.g., list.jsp, accounts.jsp, status.jsp, etc.)

▼Prerequisites

The forcibly browseable pages or accessible resources must be discoverable and improperly protected.

▼Skills Required

Low

Forcibly browseable pages can be discovered by using a number of automated tools. Doing the same manually is tedious but by no means difficult.

▼Resources Required

None: No specialized resources are required to execute this type of attack. A directory listing is helpful, but not a requirement.

▼Consequences

Scope	Likelihood	Impact	Note
Confidentiality	N/A	Read Data	N/A
ConfidentialityAccess ControlAuthorization	N/A	Bypass Protection Mechanism	N/A

Scope: Confidentiality

Likelihood: N/A

Impact: Read Data

Note: N/A

Scope: Confidentiality, Access Control, Authorization

Likelihood: N/A

Impact: Bypass Protection Mechanism

Note: N/A

▼Mitigations

Authenticate request to every resource. In addition, every page or resource must ensure that the request it is handling has been made in an authorized context.

Forceful browsing can also be made difficult to a large extent by not hard-coding names of application pages or resources. This way, the attacker cannot figure out, from the application alone, the resources available from the present context.

▼Example Instances

▼Related Weaknesses

ID	Name
CWE-285	Improper Authorization
CWE-425	Direct Request ('Forced Browsing')
CWE-693	Protection Mechanism Failure

ID: CWE-285

Name: Improper Authorization

ID: CWE-425

Name: Direct Request ('Forced Browsing')

ID: CWE-693

Name: Protection Mechanism Failure

▼Taxonomy Mappings

Taxonomy Name	Entry ID	Entry Name
WASC	34	Predictable Resource Location
OWASP Attacks	N/A	Forced browsing

Taxonomy Name: WASC

Entry ID: 34

Entry Name: Predictable Resource Location

Taxonomy Name: OWASP Attacks

Entry ID: N/A

Entry Name: Forced browsing