• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Stop wasting time looking for files and revisions. Connect your Gmail, DriveDropbox, and Slack accounts and in less than 2 minutes, Dokkio will automatically organize all your file attachments. Learn more and claim your free account.

View
 

Predictable Resource Location

Page history last edited by Robert Auger 10 years, 10 months ago

Project: WASC Threat Classification

Threat Type: Attack

Reference ID: WASC-34

 

Predictable Resource Location

Predictable Resource Location is an attack technique used to uncover hidden web site content and functionality. By making educated guesses via brute forcing an attacker can guess file and directory names not intended for public viewing. Brute forcing filenames is easy because files/paths often have common naming convention and reside in standard locations. These can include temporary files, backup files, logs, administrative site sections, configuration files, demo applications, and sample files. These files may disclose sensitive information about the website, web application internals, database information, passwords, machine names, file paths to other sensitive areas, etc...

This will not only assist with identifying site surface which may lead to additional site vulnerabilities, but also may disclose valuable information to an attacker about the environment or its users. Predictable Resource Location is also known as Forced Browsing, Forceful Browsing, File Enumeration, and Directory Enumeration.

 

Example

Any attacker can make arbitrary file or directory requests to any publicly available web server. The existence of a resource can be determined by analyzing the web server HTTP response codes. There are several of Predictable Resource Location attack variations:

Blind searches for common files and directories

 

/admin/
/backup/
/logs/
/test/
/test.asp
/test.txt
/test.jsp
/test.log
/Copy%20of%test.asp
/Old%20test.asp
/vulnerable_file.cgi

Adding extensions to existing filename: (/test.asp)

 

/test.asp.bak
/test.asp.txt
/test.bak
/test

 

For content not required to be world accessible either proper access controls should be applied, or removal of the content itself.

 

Tools

Grendel Scan

http://grendel-scan.com/

 

JBroFuzz

http://sourceforge.net/projects/jbrofuzz

 

OWASP List of Tools

http://www.owasp.org/index.php/Phoenix/Tools

 

Nikto

http://www.cirt.net/

 

w3bfukk0r

http://www.ngolde.de/w3bfukk0r.html

 

 

References

CWE-425 - Direct Request ('Forced Browsing')

[1] http://cwe.mitre.org/data/definitions/425.html

 

Forced browsing

[2] http://www.owasp.org/index.php/Forced_browsing

 

See also 'Insufficient Authorization'

[3] http://projects.webappsec.org/Insufficient-Authorization

 

Comments (0)

You don't have permission to comment on this page.