Access Control: Forced Browsing¶

Identifier: forced_browsing

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

Forced browsing happens when parts of a web application are not properly protected, allowing an unauthorized person to access sensitive areas by simply guessing or entering a URL directly. Instead of relying on hidden or obscure URLs, developers need to ensure that every page, function, or resource has proper authorization checks. This vulnerability is dangerous because even if the paths are not linked from the public interface, an attacker who discovers them can perform actions like accessing admin functionalities, viewing personal data, or further exploiting the system. A common mistake is assuming that if a resource is not easily found, its safe, rather than implementing robust access control measures. Ignoring these checks can lead to significant security breaches and data exposure.

References:

https://cwe.mitre.org/data/definitions/862.html

Configuration¶

Example¶

Example configuration:

---
security_tests:
  forced_browsing:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.