Saya Love Malaysia

Topics: Authentication, Access control, Authorization Pages: 6 (1533 words) Published: April 4, 2013
(NTC 1062)
“Failure to restrict URL access”

ID NO : NWS 107374

Table of content
What is failure to Restrict URL Access?3
What is Forced browsing attack?3
What is “Failure to Restrict URL Access” vulnerability?4
Some common examples:5
What is the Problem with Failing to Restrict URL Access?6
An Example of Failing to Restrict URL Access6
How Do You Restrict URL Access7
How Do I Prevent Failure to Restrict URL Access?7
Example Scenarios8

What is failure to Restrict URL Access?

Failure to Restrict URL Access is a common vulnerability which is found in web applications. This vulnerability was also listed in Open Web Application Security Project’s (OWASP) Top 10 list of common web vulnerabilities. If it is listed in top 10, we can assume how critical and dangerous this vulnerability is. This vulnerability exists when an attacker gain access to protected pages just by entering URL in browser’s address bar. Commonly an attacker use Forced browsing attack to exploit this vulnerability and access.

What is Forced browsing attack?

Forced Browsing is an attack which is used to access those resources in a web applications that are not referenced anywhere in the application, but exists. This can be seen as a Brute force attack in which an attacker try to guess the unlink directory or page in a website. This attack is also known as File Enumeration. Some other names of this attack are Predictable Resource Location, Resource Enumeration and Directory Enumeration. But most common names are Forced browsing and Predictable Resource Location. Attacker analyzes the web server HTTP response codes to predict the existence of a resource. With this attack, attacker search for some secure content of the website such as source code, backup files, temporary files directory, sample files, log files or backup files. Generally these files are stored somewhere on the server and can be accessible easily if directory listing is on. This attack may disclose much valuable information about the application to an attacker.

Most common directories names those are easy to guess:
* Admin
* Administrator
* Images
* Backup
* Log
* Scripts
Forced browsing can be done manually or by with the help of tools. In manually forced browsing attacker guess and type the name of the resource in the address bar. He tries again and again to get the valid resource. This process can also be done with the help of some tools. Nikto is one of those tools which can be used to perform forced browsing. Nikto is a popular scanning tool which has the ability to search for some existing files and directories on the website. It searches files and directories by guessing names from a database of well-know resources What is “Failure to Restrict URL Access” vulnerability?

If a web application fails to verify users’ privilege before granting access to the page, web application is vulnerable to “Failure to Restrict URL Access” attack. This vulnerability exists because most of the developers hide links to protected pages from unauthorized users. But a skilled unauthorized user can guess or find the link to access the page. Many times developers only check for a valid session for all the protected pages. And an unauthorized user with a valid session will be able to access the page which is not built for him. By using forced browsing, an attacker can browse and access the pages without having a reference to those pages.

Some common examples:...
Continue Reading

Please join StudyMode to read the full document

You May Also Find These Documents Helpful

  • love Essay
  • love Essay
  • formation of malaysia Essay
  • Malaysia Essay
  • Malaysia Essay
  • Federalism in Malaysia Essay
  • Why I Love Malaysia Essay
  • Love Essay

Become a StudyMode Member

Sign Up - It's Free