Using forceful browsing, attackers may gain access to restricted parts in the Web server directory. This kind of attack occurs when the attacker "forces" a URL by accessesing it directly instead of following links.
The basic role of Web servers is to serve files. To prevent users from accessing unauthorized files on the Web server, Web servers provide two main security mechanisms: the root directory and access controls lists. The root directory limits users' access to a specific directory within the Web server's file system. All files placed in the root directory and its sub-directories are accessible to users. Using access control lists, administrators can determine whether a file can be viewed or executed by users, as well as other access rights.
For example, consider a registration page that includes an HTML comment mentioning a file named
_private/customer.txt. The file
customer.txt was supposed to be an unreferenced file. However, by typing
http://www.acme-hackme.com/_private/customer.txt, an attacker can retrieve the
customer.txt file and view its contents.
Other good examples are backup and temporary files. Appending "~", ".bak" or ".old" to HTML or CGI names may retrieve an older version of the source code. This is dangerous as many developers embed material into development code that they later remove. For example,
www.xxx.com/cgi-bin/admin.jsp~ returns the
admin.jsp source code.
Attackers use forceful browsing to retrieve pages or perform operations that would otherwise require authentication. Assume Bob wants to transfer $100 to John. Bob logs in to his bank account, and clicks on
fundsxfer.asp. He then types in the account names and amount, and
xfer.asp with the transaction details, i.e.
Xfer.asp validates the input (the "from" parameter is an authenticated user and the "sum" parameter reflects existing amount of money) and automatically redirects the browser to:
dofundxfer.asp?from=bob&to=john&sum=100. By accessing
dofundxfer.asp directly, Bob can bypass the user verification and transfer money from John to himself by typing
Forceful browsing is usually combined with Brute Force techniques to gather information by attempting to access as many URLs as possible to enumerate directories and files on a server. Attackers may check for all variations of commonly existing files. For example, a password file search would encompass files including psswd.txt, password.htm, password.dat, and other variations.