When you go to a store to look around, the clerk may ask if they can help you. No, you’re just browsing, you say. You’re not necessarily in search of anything in particular. We do the same thing online. Web browsing is a way to satisfy our curiosity, to delve into areas that interest us, to survey a subject quickly and without commitment. Forceful browsing is something different. It’s illegitimate and unethical. And it’s not innocent.
When you browse a website, ultimately you are accessing a physical device with software running over it. Each website has its own defined access levels. You may have access as a basic user while others have higher privileges. Whatever your rights, you should only access those pages and resources for which you have been given the legitimate privileges.
The owners of the website are perfectly justified in limiting access and protecting their online assets. You would not walk into a store and take anything you like — not without consequences anyway. Attackers who use forceful browsing, also known as forced browsing, are accessing resources that do not belong to them and for which they have not been given permission. The forced browsing exploit is sometimes called file enumeration, predictable resource location, or directory enumeration.
“Forceful browsing is an attack technique used to gain access to restricted pages or other sensitive resources in a web server by forcing the URL directly.”
The web security company Barricuda offers a clear definition for us: “Forceful browsing is an attack technique used to gain access to restricted pages or other sensitive resources in a web server by forcing the URL directly.” Those who use forceful browsing tactics go places on a web server they shouldn’t.
For a simple example, suppose there are text files on a site with an online library. When you log in, you are shown the folders that you’re allowed to browse. Someone who does forceful browsing might try to get into a folder not assigned to them. It could be through guesswork, or even a software package that is readily available.
OWASP provides us with a couple of more sophisticated examples. The first involves a user who has rights to a system but snoops around to look at someone else’s data. Line one below shows the URL when the potential hacker, user 1, looks at his own agenda. The second line is the result of the curious user’s modification so that he can see the calendar of user 6:
www.site-example.com/users/calendar.php/user1/20070715
www.site-example.com/users/calendar.php/user6/20070716
In the second example, OWASP suggests a brief list of commonly-named directories that a hacker might try to access. He could even automate his browsing using a software tool. Using brute force, he may try to browse and penetrate directories like these:
/system/
/password/
/logs/
/admin/
/test/
What is the attacker trying to accomplish with forceful browsing? He may be looking for sensitive information that he knows must be there. He may be on the lookout for some information that he might consider valuable. He may just want to look around to prove that he can do it.
The Washington Post reported that it would be possible for unauthorized users to gain control of a hospital cabinet with a force browsing attack. Tim Elrod, a consultant at FishNet Security, discovered the vulnerability. “At that point, we had full administrative control,” Elrod said. “We could do anything.”
Another vulnerability was discovered in Seagate wireless devices. Betanews cited remarks from a research group:
“Impact Description: Attackers can gain access all files stored in affected devices. This vulnerability requires attackers to be within range of the device’s wireless network.”
What an attacker stands to gain depends on the value of the information he finds. Without proper web security, there’s no telling what he could do.
So how can you stop attackers from snooping around in directories where they don’t belong? Barricuda says there are two solutions:
1) enforcing an application URL space whitelist
2) using proper access control.
A whitelist, according to Techopedia, is “a list of entities approved for authorized access or privileged membership to enter a specific area in the computing world”. So if you want to keep people from forceful browsing on your web server, URL whitelisting sounds like a pretty good idea.
The application security provider Veracode says that restricting file permissions and using access control lists can keep the bad guys out. They point out that web administrators can also limit access to data by file type. Why would a regular user need access to a .log file? There a more than a few ways to mitigate against forceful browsing.
There’s nothing wrong with being curious. But it’s incumbent on all of us to respect the property of others. If you find that — by accident — you’ve accessed an area of a website where you shouldn’t be, it might be nice to report the vulnerability to the web administrator. Those who do it on purpose — well, I’ll leave that to their own consciences. A web admin’s job is to keep them out the best he can. Consider Total Uptime’s Web Application and API Protection suite to help you implement protections against forceful browsing today!