Forced browsing, or forceful browsing, is a technique that is used to attack websites and web apps, in order to access poorly protected resources. Some of these resources may contain sensitive information such as user email addresses, login data and other personal data that is not open to public access. In this article, we’re going to cover forced browsing and how you can protect your site against this attack.
Designers and developers who do not have experience with site security will often assume that you can store valuable information or resources by using a hard to guess URL, with no extra security layers on top. The assumption is that if a URL is complex, not linked anywhere within the website, and not indexed with Google, it cannot be found. However, attackers have a plethora of tools at their disposal, from social engineering, to scanning tools and techniques such as brute force file enumeration, directory enumeration and resource enumeration among others. In short, they will likely find the URL, access it, and gain administrator access to your site.
You then have the issue of user authentication that does not meet security standards. An attacker will access your site, create a user account, and his user page may look something like this:
If the authentication process for your site is too simple, the attacker can then change the last part of the URL ?id=3217 to ?id=3203, and gain access to that user’s page without ever going through the login screen. That’s bad enough, but generally in these situations, the admin page is defined as ?id=1. From there the attacker has access to the site’s settings and pretty much everything else on the site.
Forced browsing is also related to other security risks such as directory listing and insecure direct object references, where if a server has the directory listing turned on, an attacker may use common file locations and directories to bypass security measures. Some of these common directories include /source-code, /configuration and /backup.
By accessing the /source-code directory using directory browsing, the attacker will be able to view the site’s entire source code structure, and from there figure out a way to bypass login pages and gain access to personal data. The /configuration directory will have all the configuration files for the site, and these files may contain the passwords for your databases, where once again, the attacker will be able to gather the personal data of your users. On the /backup directory, the attacker will be able to access and download the backup files of the website where the database dump is likely to be stored.
Security measures that can prevent forced browsing
The security recommendations that can help prevent forced browsing fall under the umbrella of URL access restrictions. Without getting into too much technical detail, the security settings needed revolve around ensuring that you use the appropriate permissions for viewing files on your site. Anonymous web users that visit your site should not have user read permissions to any of the sensitive data files that you have stored online.
You can also define the various lists of file types that can be read on your server. For example, most users should not have permission to access .log or database files, unless it is through secure channels. Another way to reduce potential threats is to remove any files that should not be available from web-based directories, even if they are secured. If they don’t need to be online on your site, store them elsewhere.
How is vulnerability assessment performed in the case of forced browsing?
The method for finding out if this vulnerability affects your site security depends on the size of the website. In the case of a smaller site, it is easy to check for known weak points quickly and increase the security standards that are currently in place. For larger websites, your security analyst will use automated software to skim through the website, check its pages and files, and provide a security assessment report.
Are you interested in beefing up the security of your website?
Forced browsing is a serious vulnerability, but it is nevertheless easy to find, fix and prevent. With the right tools and expertise, forced browsing is just another security issue that can be handled by a pro web development team. If you think you are susceptible to this issue, or if you think that your website might have problems with security, contact us today. We are ready to help you whatever the case may be.