December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
Recipe 9-3: Preventing Forceful Browsing Attacks
This recipe shows you how to identify when attackers attempt to access resources without following the appropriate user interface work flows.
Ingredients
- ModSecurity
- Version 2.7 or higher
- Directives
- SecDisableBackendCompression
- SecContentInjection
- SecStreamOutBodyInspection
- SecEncryptionEngine
- SecEncryptionKey
- SecEncryptionParam
- SecEncryptionMethodRx
CAPEC-87: Forceful Browsing
An attacker employs forceful browsing to access portions of a website that are otherwise unreachable through direct URL entry.
Usually, a front controller or similar design pattern is employed to protect access to portions of a web application.
Forceful browsing enables an attacker to access information, perform privileged operations, and otherwise reach sections of the web application that have been improperly protected.
Sample Attacks
Forceful browsing is an enumeration tactic attackers use to identify resources within a web application. These resources may not be presented by the current user interface but are still accessible if the proper request is sent. This technique can be used to identify hidden directories or backup files, but it may also be used to access other user data if access controls are improperly applied. Here is a sample scenario taken from an actual web assessment I conducted in which an application includes a “customer ID” value within the URL itself:
https://www.REDACTED.com/Cust/cust_5.php/ ...Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.