Failure to Restrict URL Access By Forced Browsing Attack
Sunday, July 1, 2012
0
comments
Failure to restrict URL access is also a well known web
application vulnerability. It is also listed in the Open Web Application
Security Project’s (OWASP) Top 10 list of common web vulnerabilities. This
vulnerability exists when web application protect pages just by hiding URL from
menu.
Before going in detail about this vulnerability, you must
know about Force browsing attack.
Force Browsing:Force browsing is an attack in which attacker tries to
access some hidden resources that exists but their reference is hidden from
normal users. With this attack, attacker try to get some hidden pages of the
website stored on the server. This attack can be performed manually or by some
tools. But manually done forced browsing is more effective.
Forced browsing can disclose many server log files and temp
files which helps attackers to know more about the server.
Failure to Restrict URL Access: If in a web application, an
attacker grants access to some unauthorized pages just by typing URLs, it is known
as Failure to Restrict URL Access vulnerability. This vulnerability is mostly
exists when developers fail to provide role based access method. Developer
thinks that users will only access those pages which are given to them in menu.
And pages hidden from them are secure from them. This vulnerability exposes
this vulnerability.
Some common examples which developers used to protect pages
- · Protecting only by hiding references
- · Protecting only by checking for valid sessions
- · Checking Authentication only once
Categories:
Hacking tutorials
0 comments:
Post a Comment