Forced Browsing

What is Forced Browsing?

Forced browsing is a type of cyberattack where an attacker attempts to access directories, files, or other resources that a website does not intend to make publicly available. Instead of navigating through public pages and links, the attacker directly inputs a URL into the browser's address bar to probe for hidden files or directories on the server. Common methods to identify non-public paths include:

• Directory Listing
  If the web server's directory index feature is enabled, specifying a directory's URL can display a list of files within it. If sensitive files reside in those directories, attackers can easily identify their names.
• HTML File Comments
  Comments embedded within the HTML code can inadvertently reveal paths to non-public resources.
• URL Guessing
  By examining directory listings or information from HTML comments, attackers may deduce the site's naming conventions. They can then use these patterns to speculate the names of non-public files in other directories.

Prevention Measures:

To prevent forced browsing attacks:

• Disable the directory listing feature (in Apache, remove the "Indexes" option from http.conf).
• Remove unnecessary comments from public HTML files.
• Restrict the scope of access allowed to web applications.

Additionally, implementing a Web Application Firewall (WAF) can effectively mitigate such attacks. F5 offers the F5 BIG-IP, which integrates robust WAF capabilities to safeguard against forced browsing and other cyber threats.