An attacker employs forceful browsing to access portions of a website that
are otherwise unreachable through direct URL entry.
Usually, a front controller or similar design pattern is employed to
protect access to portions of a web application.
Forceful browsing enables an attacker to access information, perform
privileged operations and otherwise reach sections of the web appplication
that have been improperly protected.
Attack Execution Flow
Explore
Spider:
Using an automated tool, an attacker follows all
public links on a web site. He records all the links
he finds.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use a spidering tool to follow and record
all links
env-Web
2
Use a proxy tool to record all links visited
during a manual traversal of the web
application.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
A list of links is created by
the attacker.
Security Controls
ID
type
Security Control Description
1
Detective
Monitor velocity of
page fetching in web logs. Humans who view a page
and select a link from it will click far slower
and far less regularly than tools. Tools make
requests very quickly and the requests are
typically spaced apart regularly (e.g. 0.8 seconds
between them).
2
Detective
Create links on some
pages that are visually hidden from web browsers.
Using IFRAMES, images, or other HTML techniques,
the links can be hidden from web browsing humans,
but visible to spiders and programs. A request for
the page, then, becomes a good predictor of an
automated tool probing the
application.
3
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be
automated.
Experiment
Attempt well known or guessable resource
locations:
Using an automated tool, an attacker requests a
variety of well-known URLs that correspond to
administrative, debugging, or other useful internal
actions. He records all the positive responses from
the server.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use a spidering tool to follow and record
attempts on well known URLs
env-Web
2
Use a proxy tool to record all links visited
during a manual traversal of attempts on well
known URLs.
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
Common resource identifiers are used (e.g.,
/admin/, admin.jsp, admin.aspx, etc.)
env-Web
2
Positive
Well known middleware or application
platforms are used (e.g., Cold Fusion, WebSphere,
WebLogic, JBoss, etc.)
env-Web
Outcomes
ID
type
Outcome Description
1
Success
The attacker discovers one or
more unprotected resources.
Security Controls
ID
type
Security Control Description
1
Detective
Monitor errors (e.g.,
404 not found) from web servers, application
servers, and other HTTP infrastructure (e.g., load
balancers). Alert on an unusual number of
consecutive failures or total failures from a
single host. Potentially alert on many failures
from many different hosts, but in a relatively
short time window.
2
Detective
Create "honeypot" web
pages or scripts that do not actually have any use
in the application, and name them common names
(e.g., admin.jsp, admin.do, admin.aspx, etc.).
Alert when one of these resources is
requested.
3
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be generating an
unusual amount of
failures.
4
Corrective
Obtain a list of
sensitive areas that should not be directly
accessible (e.g., JSPs or other templates that
should only be accessible via front controllers).
Apply an external mechanism (rule in the load
balancer, rule in the reverse proxy, etc.) to
intercept and redirect requests for those
resources. Ideally use patterns, not specific page
names (e.g., /jsp/* instead of a list of
individual JSPs). Regularly update the list that
is used in
operation.
5
Detective
Identify defaults for
platform-specific sensitive resources. If the
application does not use those defaults, alert on
all requests for them (e.g.,
http://server:8080/admin/)
Exploit
Use unauthorized
resources:
By visiting the unprotected resource, the attacker
makes use of unauthorized functionality.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Access unprotected functions and execute
them.
env-All
Security Controls
ID
type
Security Control Description
1
Detective
Malformed log entries
are a common side-effect of this kind of attack.
E.g., "User xyz deleted by on 10/16/07." The "by
on" indicates that no authorized user was
recorded. (A good entry would say "user xyz
deleted by admin on 10/16/07"). Monitoring of log
file entries for correct and consistent output
format can indicate this kind of attack
succeeding.
View unauthorized
data:
The attacker discovers and views unprotected
sensitive data.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Direct request of protected pages that
directly access database back-ends. (e.g.,
list.jsp, accounts.jsp, status.jsp, etc.)
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
Dynamic pages (JSP, ASP, PHP, etc.) exist
that divulge sensitive data without first checking
authorization.
env-Web
Attack Prerequisites
The forcibly browsable pages or accessible resources must be discoverable
and improperly protected.
Typical Likelihood of Exploit
Likelihood: Very High
A number of automated crawlers as well as other tools are available that
generally perform a good job at looking for forcefully browsable
pages
Methods of Attack
Brute Force
Examples-Instances
Description
A bulletin board application provides an administrative interface at
admin.aspx when the user logging in belongs to the administrators
group.
An attacker can access the admin.aspx interface by making a direct
request to the page. Not having access to the interface appropriately
protected allows the attacker to perform admnistrative functions without
having to authenticate himself in that role.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
Forcibly browsable pages can be discovered by using a number of
automated tools. Doing the same manually is tedious but by no means
difficult
Resources Required
A directory listing is helpful but not a requirement. No special resources are
required.
Probing Techniques
Following all the links recursively reveals resources that are
available
Having a directory listing also points to the available pages and
resources in the application that may be forcibly browsable.
Solutions and Mitigations
Authenticate request to every resource. In addition, every page or
resource must ensure that the request it is handling has been made in an
authorized context.
Forceful browsing can also be made difficult to a large extent by not
hard-coding names of application pages or resources. This way, the attacker
cannot figure out, from the application alone, the resources available from
the present context.
JBrowser allows remote attackers to bypass authentication and access
certain administrative capabilities via a direct request for
_admin/.
CVE-2007-1062
The Cisco Unified IP Conference Station 7935 3.2(15) and earlier, and
Station 7936 3.3(12) and earlier does not properly handle administrator
HTTP sessions, which allows remote attackers to bypass authentication
controls via a direct URL request to the administrative HTTP interface
for a limited time
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2010, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
