top of page
Cerca

Web application attack - Forced browsing

  • Immagine del redattore: James
    James
  • 21 set 2025
  • Tempo di lettura: 2 min

Aggiornamento: 27 set 2025

Forced Browsing is one of the most underrated web attacks, but its simplicity makes it very effective.


Let’s start from the beginning: a website is a collection of web resources accessible from the Internet using web protocols. That’s clear. You usually begin navigation from the main webpage, and by following the references on that page, you move to other content located at different URLs.


A website may expose resources that are not discoverable through normal navigation but are accessible if the exact URL is known. Requesting such a URL can reveal information that was inadvertently published or left unprotected. That's it!


So, how can you test a website to find out if it is vulnerable to this kind of attack? Maybe you could start by looking at the robots.txt file, which could be an option. robots.txt is a file where the web administrator specifies the files they do not want to be indexed by search engines like Google. However, a better approach is to proceed with fuzzing.


In order to perform a forced browsing attack test with fuzzing, you have to understand the website’s URL patterns. For example, when you navigate a website, start by clicking links, and you may find an area with restricted access; it could be interesting to see if any critical information is exposed in that path ---> https://mywebsite[.]com/userarea/login


You can start manually by accessing https://mywebsite[.]com/userarea/.config or maybehttps://mywebsite[.]com/userarea/.cache either using a browser or a command-line tool such as --> curl -v https://mywebsite[.]com/userarea/.cache

However, automating this technique with Fful (pronounced like ‘Fluff’ without the ‘L’) is a more convenient approach.

It is a very powerful tool that you can download from: https://github.com/ffuf/ffuf



You can easly use it with the command line:


The tool tries to access the obtained URLs by replacing the word ‘FUZZ’ with all the entries in the wordlist. For very complete wordlist you can use Daniel Miessler's SecList project https://github.com/danielmiessler/SecLists.



Remember: this technique is for learning and legal penetration testing only. Do not use it for illegal purpose. I am not responsible for any misuse.












 
 
bottom of page