Forced Browsing
What is Forced Browsing?
Forced browsing is a type of cyberattack where an attacker attempts to access directories, files, or other resources that a website does not intend to make publicly available. Instead of navigating through public pages and links, the attacker directly inputs a URL into the browser's address bar to probe for hidden files or directories on the server. Common methods to identify non-public paths include:
- Directory Listing
If the web server's directory index feature is enabled, specifying a directory's URL can display a list of files within it. If sensitive files reside in those directories, attackers can easily identify their names. - HTML File Comments
Comments embedded within the HTML code can inadvertently reveal paths to non-public resources. - URL Guessing
By examining directory listings or information from HTML comments, attackers may deduce the site's naming conventions. They can then use these patterns to speculate the names of non-public files in other directories.
Prevention Measures:
To prevent forced browsing attacks:
- Disable the directory listing feature (in Apache, remove the "Indexes" option from http.conf).
- Remove unnecessary comments from public HTML files.
- Restrict the scope of access allowed to web applications.
Additionally, implementing a Web Application Firewall (WAF) can effectively mitigate such attacks. F5 offers the F5 BIG-IP, which integrates robust WAF capabilities to safeguard against forced browsing and other cyber threats.

