Sunday, July 1, 2012 0 comments
Failure to restrict URL access is also a well known web application vulnerability. It is also listed in the Open Web Application Security Project’s (OWASP) Top 10 list of common web vulnerabilities. This vulnerability exists when web application protect pages just by hiding URL from menu.
Before going in detail about this vulnerability, you must know about Force browsing attack.
Force Browsing:Force browsing is an attack in which attacker tries to access some hidden resources that exists but their reference is hidden from normal users. With this attack, attacker try to get some hidden pages of the website stored on the server. This attack can be performed manually or by some tools. But manually done forced browsing is more effective.
Forced browsing can disclose many server log files and temp files which helps attackers to know more about the server.
Failure to Restrict URL Access: If in a web application, an attacker grants access to some unauthorized pages just by typing URLs, it is known as Failure to Restrict URL Access vulnerability. This vulnerability is mostly exists when developers fail to provide role based access method. Developer thinks that users will only access those pages which are given to them in menu. And pages hidden from them are secure from them. This vulnerability exposes this vulnerability.
Some common examples which developers used to protect pages
- · Protecting only by hiding references
- · Protecting only by checking for valid sessions
- · Checking Authentication only once