Saya Love Malaysia

Only available on StudyMode
  • Download(s) : 16
  • Published : April 4, 2013
Open Document
Text Preview
NETWORK VULNERABILITIES ASSESSMENT
(NTC 1062)
PROBLEM BASED LEARNING 3
“Failure to restrict URL access”

-------------------------------------------------
NAME : SITI ZURINA BINTI IBRAHIM
-------------------------------------------------
ID NO : NWS 107374
-------------------------------------------------
CLASS : NETWORK SECURITY 2
-------------------------------------------------
TTO’S NAME : MISS NOORMELAH BINTI SHAMSUL ANUAR
-------------------------------------------------
DUE DATE : 1ST APRIL 2013

Table of content
Contents
What is failure to Restrict URL Access?3
What is Forced browsing attack?3
What is “Failure to Restrict URL Access” vulnerability?4
Some common examples:5
What is the Problem with Failing to Restrict URL Access?6
An Example of Failing to Restrict URL Access6
How Do You Restrict URL Access7
How Do I Prevent Failure to Restrict URL Access?7
Example Scenarios8
Conclusion9

What is failure to Restrict URL Access?

Failure to Restrict URL Access is a common vulnerability which is found in web applications. This vulnerability was also listed in Open Web Application Security Project’s (OWASP) Top 10 list of common web vulnerabilities. If it is listed in top 10, we can assume how critical and dangerous this vulnerability is. This vulnerability exists when an attacker gain access to protected pages just by entering URL in browser’s address bar. Commonly an attacker use Forced browsing attack to exploit this vulnerability and access.

What is Forced browsing attack?

Forced Browsing is an attack which is used to access those resources in a web applications that are not referenced anywhere in the application, but exists. This can be seen as a Brute force attack in which an attacker try to guess the unlink directory or page in a website. This attack is also known as File Enumeration. Some other names of this attack are Predictable Resource Location, Resource Enumeration and Directory Enumeration. But most common names are Forced browsing and Predictable Resource Location. Attacker analyzes the web server HTTP response codes to predict the existence of a resource. With this attack, attacker search for some secure content of the website such as source code, backup files, temporary files directory, sample files, log files or backup files. Generally these files are stored somewhere on the server and can be accessible easily if directory listing is on. This attack may disclose much valuable information about the application to an attacker.

Most common directories names those are easy to guess:
* Admin
* Administrator
* Images
* Backup
* Log
* Scripts
Forced browsing can be done manually or by with the help of tools. In manually forced browsing attacker guess and type the name of the resource in the address bar. He tries again and again to get the valid resource. This process can also be done with the help of some tools. Nikto is one of those tools which can be used to perform forced browsing. Nikto is a popular scanning tool which has the ability to search for some existing files and directories on the website. It searches files and directories by guessing names from a database of well-know resources What is “Failure to Restrict URL Access” vulnerability?

If a web application fails to verify users’ privilege before granting access to the page, web application is vulnerable to “Failure to Restrict URL Access” attack. This vulnerability exists because most of the developers hide links to protected pages from unauthorized users. But a skilled unauthorized user can guess or find the link to access the page. Many times developers only check for a valid session for all the protected pages. And an unauthorized user with a valid session will be able to access the page which is not built for him. By using forced browsing, an attacker can browse and access the pages without having a reference to those pages.

Some common examples:...
tracking img