Lesson Plan Title: How to Perform Forced Browsing Attacks.

 

Concept / Topic To Teach:

How to Exploit Forced Browsing.

 

How the attacks works:

Forced browsing is a technique used by attackers to gain access to resources that are not referenced, but are nevertheless accessible. One technique is to manipulate the URL in the browser by deleting sections from the end until an unprotected directory is found

 

General Goal(s):

Your goal should be to try to guess the URL for the "config" interface.
The "config" URL is only available to the maintenance personnel.
The application doesn't check for horizontal privileges.

 

Figure 1 Insecure configuration management – Forced Browsing

 

Solution:

If you want to access a restricted page, you need to be able to guess the URI to access the page, for example /admin.

In this environment, WebGoat consists of different servlets that live in the WebGoat application. The main servlet is /attack, what could be the servlet for config?

 

Try to access config, configuration, conf, ….

 

Figure 2 No config

 

Figure 3 No configuration

 

Figure 4 Bingo for conf

 

This could be automated with a tool like Wikto 2.0