Forced browsing is the practice of manually navigating to URLs, files, or directories that are not referenced anywhere in the application's visible interface but still exist and are accessible on the server. The attacker bypasses normal navigation flow by guessing or discovering resource paths directly, often finding unprotected administrative interfaces, backup files, or sensitive data.
How It Works
Applications often rely on the assumption that users will only visit pages they can reach through links and menus. Developers might hide an admin panel by simply not linking to it from the main navigation, or they might leave old API versions accessible without authentication because the frontend no longer calls them. Forced browsing exploits this false sense of security.
Testers use wordlists containing common file and directory names to systematically probe the server. Paths like /admin, /backup, /debug, /test, /api/v1/, /.env, /config.yml, and /phpinfo.php are checked along with thousands of other predictable locations. The server's response codes reveal what exists: a 200 OK confirms the resource is accessible, a 403 Forbidden confirms it exists but is restricted, and a 404 Not Found means it likely does not exist.
Beyond directory discovery, forced browsing also applies to sequential or predictable resource identifiers. If invoices are accessible at /invoices/1001, an attacker might try /invoices/1002 through /invoices/9999 to access other users' documents. This overlaps with IDOR vulnerabilities when authorization checks are missing.
Why It Matters
Forced browsing regularly uncovers critical findings in security assessments. Backup files containing source code or database dumps, exposed configuration files with credentials, forgotten test accounts with default passwords, and administrative interfaces without authentication are all common discoveries. These findings exist because the development team assumed obscurity was sufficient protection.
The defense is straightforward: enforce authentication and authorization on every resource, not just the ones linked in the UI. Remove unnecessary files from production. Return consistent 404 responses for resources that should not be publicly known.
Need your application tested? Get in touch.