{
    "id": "bundle--3854e44a-10ea-4970-8e82-5db4b70ba65e",
    "objects": [
        {
            "created": "2014-06-23T00:00:00.000Z",
            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
            "description": "An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.",
            "external_references": [
                {
                    "external_id": "CAPEC-87",
                    "source_name": "capec",
                    "url": "https://capec.mitre.org/data/definitions/87.html"
                },
                {
                    "external_id": "CWE-425",
                    "source_name": "cwe",
                    "url": "http://cwe.mitre.org/data/definitions/425.html"
                },
                {
                    "external_id": "CWE-285",
                    "source_name": "cwe",
                    "url": "http://cwe.mitre.org/data/definitions/285.html"
                },
                {
                    "external_id": "CWE-693",
                    "source_name": "cwe",
                    "url": "http://cwe.mitre.org/data/definitions/693.html"
                },
                {
                    "description": "Predictable Resource Location",
                    "external_id": "34",
                    "source_name": "WASC",
                    "url": "http://projects.webappsec.org/Predictable-Resource-Location"
                },
                {
                    "description": "Forced browsing",
                    "source_name": "OWASP Attacks",
                    "url": "https://owasp.org/www-community/attacks/Forced_browsing"
                }
            ],
            "id": "attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6",
            "modified": "2020-12-17T00:00:00.000Z",
            "name": "Forceful Browsing",
            "object_marking_refs": [
                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
            ],
            "type": "attack-pattern",
            "x_capec_abstraction": "Standard",
            "x_capec_child_of_refs": [
                "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a"
            ],
            "x_capec_consequences": {
                "Access_Control": [
                    "Bypass Protection Mechanism"
                ],
                "Authorization": [
                    "Bypass Protection Mechanism"
                ],
                "Confidentiality": [
                    "Read Data",
                    "Bypass Protection Mechanism"
                ]
            },
            "x_capec_domains": [
                "Software"
            ],
            "x_capec_example_instances": [
                "\n               <xhtml:p>A bulletin board application provides an administrative interface at admin.aspx when the user logging in belongs to the administrators group.</xhtml:p>\n               <xhtml:p>An attacker can access the admin.aspx interface by making a direct request to the page. Not having access to the interface appropriately protected allows the attacker to perform administrative functions without having to authenticate themself in that role.</xhtml:p>\n            "
            ],
            "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Spider: </b>Using an automated tool, an attacker follows all public links on a web site. They record all the links they find.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a spidering tool to follow and record all links.</td></tr><tr><td>Use a proxy tool to record all links visited during a manual traversal of the web application.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Attempt well-known or guessable resource locations: </b>Using an automated tool, an attacker requests a variety of well-known URLs that correspond to administrative, debugging, or other useful internal actions. They record all the positive responses from the server.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a spidering tool to follow and record attempts on well-known URLs.</td></tr><tr><td>Use a proxy tool to record all links visited during a manual traversal of attempts on well-known URLs.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Use unauthorized resources: </b>By visiting the unprotected resource, the attacker makes use of unauthorized functionality.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Access unprotected functions and execute them.</td></tr></tbody></table><li> <p> <b>View unauthorized data: </b>The attacker discovers and views unprotected sensitive data.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Direct request of protected pages that directly access database back-ends. (e.g., list.jsp, accounts.jsp, status.jsp, etc.)</td></tr></tbody></table></ol></div>",
            "x_capec_likelihood_of_attack": "High",
            "x_capec_prerequisites": [
                "The forcibly browseable pages or accessible resources must be discoverable and improperly protected."
            ],
            "x_capec_resources_required": [
                "None: No specialized resources are required to execute this type of attack. A directory listing is helpful, but not a requirement."
            ],
            "x_capec_skills_required": {
                "Low": "Forcibly browseable pages can be discovered by using a number of automated tools. Doing the same manually is tedious but by no means difficult."
            },
            "x_capec_status": "Draft",
            "x_capec_typical_severity": "High",
            "x_capec_version": "3.9"
        }
    ],
    "spec_version": "2.0",
    "type": "bundle"
}