A Forced browsing attack is a vulnerability in which an unauthorized user has access to the contents of an authorized user. Forced browsing is an attack when a Web application has more than one user privilege level for the same user. Thus, an attacker gets sensitive information which should otherwise not be accessible to him/her.The attacker can use a brute force approach to get common directories, files, or information of user accounts present on the website.Forced browsing is named so because we are forcefully browsing the URL which only an authorized user is supposed to browse.Also, using forceful browsing, a hacker can get access to common files that may contain important data.Forced browsing attacks can also be performed using hit and trial method where application index pages and directories are based on predictable values. Due to its severity, it’s ranked in OWASP Top 10 vulnerability list.

Concept

Users of a website have a different set of privileges.A website is not vulnerable only if users cannot access admin privileges, but if users access admin rights and commands by simple copy and paste of admin URL, he/she can do a lot of damage to the website and to the company.

How The Attack Works

Example 1
 Let’s assume a  user logs on to his account and the URL is-  www.gfg.com/info/user1.php. Now, he copies this URL and pastes it in the incognito mode tab.If the same page opens, it means the website isn’t checking for authentication. The user can modify the URL by a hit and trial or brute force approach like this-www.gfg.com/info/user2.php and load the page. He will get information of user2 present on that website without asking for password or email ID or any sort of identity verification to access the account of user2.Similarly, if the user gets the URL of the admin somehow, he will be able to get admin privileges without any authentication.So, this vulnerability is critical.

Example 2
Let’s assume a user logged in to Amazon website has a URL- www.amazon.com/orders/123. Now, he identifies that 123 is his order ID. he changes this value to see whether he can see random users orders or not. He modified the URL to www.amazon.com/orders/122. Now if the Amazon website has a forced browsing vulnerability, the website will show it the orders of a random customer having an order ID of 122.  Thus, the attacker being an authorized user gained access to unauthenticated content which he is not supposed to get.

Forceful Browsing Methods

• Manual prediction: As discussed in the above example, where the user manually (using hit and trial method) finds out that the website suffers from forced browsing vulnerability by simply changing some values of the URL.
• Automated prediction: This method includes using automated tools like dirbuster for finding out common files and directory names that might contain sensitive information.
• Open-source methods: The “Exploit.db” is a platform that lists out the vulnerability of most of the application software and websites.One can take the help of this website to further learn about the attacks.

How To Avoid Forced Browsing

• For every web page that is accessed, the developer must ensure that only the authenticated user is authorized to gain access to the content.
• Authenticated users shouldn’t be able to use authorized content. An authorization check is needed at every step to ensure security.
• Creating a white list, allowing explicit access to a set of URLs that are considered, allows part of the application to exercise its functionality as intended. Any request not in this URL space is denied by default.