WackoPicko/Forceful-Browsing

From aldeid
Jump to: navigation, search
You are here:
Forceful Browsing

Description

Forceful browsing is an attack that aims at enumerating resources that are:

  • Predictable Resource Location attack, which is based on a manual and oriented identification of resources by modifying URL parameters
  • Not referenced by the application (list of links in the application), but are accessible.

Forceful browsing is usually combined with Brute Force techniques to gather information by attempting to access as many URLs as possible to enumerate directories and files on a server.

In WackoPicko, the user doesn't have to purchase the picture to see the high quality version because the URL is easily known and the only thing the user needs is the id of the image.

Proof of Concept

When you complete the process of buying an image in WackoPicko, the full URL to see an image in full size is displayed:

WackoPicko-forceful-browsing-001.png

We can easily see in the code (/pictures/high_quality.php) that no proper control is made to check if the user can see the image:

$user = Users::current_user();
$pic = Pictures::get_picture($picid);

if ($_GET['key'] != $pic['high_quality'])
{
   error_404();
}

header("Content-type: " . mime_content_type($filename));

How to detect?

How to protect against it?

  • Never leave backup files on your web directories (*.bak, *.old, ...) because they can be discovered using brute forcing attacks
  • Avoid easily guessable directory names for sensitive parts of the application. As far as possible, give random names (/dkjhq2EDsdvjhvYVS2876/ is unlikely to be discovered whereas /admin/, /adm/, /private/ or /restricted/ can be easily discovered)
  • Always challenge resources delivered by the server against a privileges matrix to avoid delivering content to non-authorized users.

Comments