Security Test: Forced Browsing¶

Description¶

Default Severity:

Forced browsing happens when parts of a web application aren’t properly protected, allowing an unauthorized person to access sensitive areas by simply guessing or entering a URL directly. Instead of relying on hidden or obscure URLs, developers need to ensure that every page, function, or resource has proper authorization checks. This vulnerability is dangerous because even if the paths aren’t linked from the public interface, an attacker who discovers them can perform actions like accessing admin functionalities, viewing personal data, or further exploiting the system. A common mistake is assuming that if a resource isn’t easily found, it’s safe, rather than implementing robust access control measures. Ignoring these checks can lead to significant security breaches and data exposure.

Reference:

https://cwe.mitre.org/data/definitions/862.html

Configuration¶

Identifier: access_control/forced_browsing

Examples¶

All configuration available:

checks:
  access_control/forced_browsing:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API1:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`6.5.4`
GDPR	`Article-32`
SOC2	`CC6`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-6`
CWE	`862`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C`
CVSS Score	`8.8`