Database Reference
In-Depth Information
Forced browsing
The attack code for forced browsing is
AT08
.
As described by OWASP, forced browsing is an attack where the aim is to enumerate and
access resources that are not referenced by the application but are still accessible.
This is quite a nasty thing and really dangerous. You have SOAP/WSDL, or more com-
monly, the REST service infrastructure with plenty of handy services available. It's so
easy to build the REST service, as demonstrated earlier. When you start, it's almost im-
possible to stop. You have them for the internal purposes of accounting/finance, delivery
and warehouse, procurement and provisioning, and those
OrderRequest
and
getIn-
voice
services that you decided to make public. Or do you just think only two of these
are public?
Some of the scanners mentioned earlier are capable of traversing the victims' server in or-
der to find those that are not declared but still exposed resources with a much less secure
model. Brute force guessing could work as well.
Search WWH ::
Custom Search