Forceful browsing is an attack technique used to gain access to restricted pages or other sensitive resources in a web server by forcing the URL directly. If the restricted URLs, scripts, or files that reside in the web server directory are not enforced with appropriate authorization, they can be vulnerable to forceful browsing attacks.
Attackers typically try brute-force attempts to enumerate directories and files that are restricted from public viewing. Typically, the files/directory paths have common naming conventions, and can therefore be easily guessed using brute-force. The brute-force attack is manually executed if the directories/pages are based on predictable resources, or use automated tools for common files and directories. Predictable resources can also be guessed by analyzing the HTTP response code of the web server.
Forceful browsing is also known as Forced Browsing, File Enumeration, Predictable Resource Location, and Directory Enumeration.
If a web server or a web application is vulnerable to forceful browsing attack, an attacker can access restricted files and view sensitive information.
The attack can be done either manually or by using automated tools for common files and directory names. When done manually, an adversary can also predict unlinked resources when URLs are generated in a predictable manner or use number rotation techniques, etc. Most commercial and open source scanners also typically scan for predictable resources that are not directly linked but contain sensitive information.
Forceful browsing attempted on the website that did not enforce proper checks before processing any operation:
An example of forceful browsing would be to directly access a URL which would perform certain operations on the server without following the workflow of the web application.
Consider an online money transfer option that is available on a bank website, which allows a web user to login to his account and transfer money. If an attacker analyses these HTTP requests for the online money transfer, he might find that the URL is http://www.ABC-bank.com/transfer-money.asp?From_account=123456&To_account=7891011&amount=10000 to perform this operation. If he uses this URL and tries a different “From_account” value, he might succeed in transferring some amount to his account without the consent of the actual account holder.
Thus, if the web application does not verify that the first step was performed successfully before the second step (i.e., check if the user was logged in to the account before doing a money transfer to any other account), it provides an opening for the attacker to perform forceful browsing.
Forceful browsing attempted on a web server that did not enforce authorization for restricted files:
If a web server (www.vulnerable.com) has a page like admin.asp, admin.jsp or admin.php that contains sensitive information related to the server, the page may not be accessible by the normal web user. If the attacker intends to access the admin.asp or admin.jsp page to steal sensitive information, the attacker would try the following:
Thus, the attacker performs forceful browsing to access sensitive pages from the server. If the proper permissions or ACLs are configured for these pages, the attacker will not be able to access such files.
There are two ways to protect against forceful browsing – enforcing an application URL space whitelist and using proper access control.
Creating a whitelist involves allowing explicit access to a set of URLs that are considered to be a part of the application to exercise it’s functionality as intended. Any request not in this URL space is denied by default. However, manually creating and maintaining such a whitelist can be tedious. The Barracuda Web Application Firewall’s adaptive profiling can be used to automatically create such a whitelist and enforce it by learning the valid URL space from trusted traffic. It also comes with a block list of common files and directories that are commonly left exposed unintentionally.
In the second method, using proper access control and authorization policies - access is only given to users commensurate with their privileges. The Barracuda Web Application Firewall provides authorization policies at a URL level along with protection against session-based attacks to provide proper access control enforcement against such abuse.
OWASP Top 10, PCI-DSS