Rapid7 Vulnerability & Exploit Database

Failure to Restrict URL Access

Back to Search

Failure to Restrict URL Access

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
04/01/2006
Created
07/25/2018
Added
01/23/2012
Modified
06/20/2013

Description

In forced browsing, an attacker accesses and enumerates "hidden" resources on a Web site that are not referenced by the Web application. If Web pages are not protected by appropriate access control security policies, they are open to unrestricted access, even if their URLs are not displayed. This flaw belongs to category A8 in the OWASP Top Ten 2010: Failure to Restrict URL Access.

In some cases, the URLs flagged for Failure to Restrict URL Access may not provide sensitive information or access to administrative functions, even though they are only linked from the authenticated part of the Web application. One example is the identification of a Browsable Web Directory vulnerability in a path only accessible after authentication.

Solution(s)

  • spider-restrict-url-access

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;