What is a forced browsing attack, and how can I ensure users of my Web applications are protected against it?
Most Web applications use authentication to ensure only users with sufficient rights can access certain pages. Users must provide a username and password before being allowed access. Forced browsing is a simple browser attack that attempts to circumvent these controls by requesting authenticated areas of the application directly, without providing valid credentials, or by requesting pages beyond the access level of the logged-in user. If permissions on these pages have not been configured correctly, the pages will be displayed to the unauthorised user.
Ask a Question
Rob Shapland, one of SearchSecurity.co.UK's resident security experts, is standing by to answer your questions. Submit your questions today. (All questions are treated as anonymous.)
Forced browsing is most often a problem when a Web application has more than one user privilege level. For example, a Web application may have admin users, normal users and basic users. Each of these users log in through the same page, but the menus and options they have access to may vary. However, if a user can discover or guess the name of a valid page, he or she can manually request access to that page by typing the URL directly into the address bar. If authorisation rights have been set up incorrectly, the user may be granted access.
This can be a significant problem with admin pages especially, because the admin of a Web application usually has the ability to create or edit users. Most admin pages use common and easily guessable names, and if user access rights have not been configured correctly, a user may be able to gain access to areas above the user’s privilege level.
It may seem protected pages are essentially “hidden” because they have obscure names. However, there are readily available tools that can attempt to access such pages. These tools will cycle through a huge list of potential page names, recording the response from the server and highlighting those URLs that responded with the requested page. With a small amount of manual investigation, it’s possible to determine if access has been granted to these pages.
Forced browsing is often seen when a Web application is hosting files for download. For example, these files may be available from the /file.php page, which uses an ID number for each file. It is not uncommon for the Web application to be hosting more files than are shown as available to all users. These files can be accessed by incrementing the ID number until another file is downloaded. Often these files are an entirely different type than those that were intended for download.
The potential impact of forced browsing includes unauthorized access to all administration functions and to other user’s personal information. To prevent forced browsing, ensure users’ access rights are restricted to the correct privilege level, and not just by the pages available to the user in the interface of the Web application.
This was first published in March 2012