{ "slug": "forced_browsing", "term": "Forced Browsing", "category": "security", "difficulty": "beginner", "short": "Accessing resources at predictable URLs that are not linked from the application's UI but lack proper authorisation checks.", "long": "Forced browsing (also called direct object reference or insecure direct access) occurs when an attacker guesses or enumerates URLs for resources the application assumes are private due to obscurity — backup files, admin panels, uploaded files, API endpoints, or configuration dumps. The fix is never to rely on URL secrecy: every resource must enforce server-side authorisation regardless of how it is accessed. Tools like dirb, gobuster, and OWASP ZAP automate forced browsing discovery during pen tests.", "aliases": [ "unprotected endpoint", "path guessing", "direct URL access" ], "tags": [ "authorisation", "information-disclosure", "owasp-top10" ], "misconception": "Unpublished URLs are safe because attackers cannot guess them. Common paths (admin/, backup/, .git/, phpinfo.php) are in every attacker wordlist — obscurity delays discovery by minutes at most.", "why_it_matters": "Sensitive resources that are not linked but are predictably named are fully accessible — security through obscurity is not access control.", "common_mistakes": [ "Generating download URLs or IDs sequentially — attackers enumerate ±1 from any known ID.", "No server-side authorisation check on direct file or resource requests — only the link is hidden.", "Backup files, old scripts, or admin panels deployed to the webroot and forgotten.", "Relying on robots.txt to hide admin paths — it advertises them to attackers." ], "when_to_use": [], "avoid_when": [], "related": [ "broken_access_control", "idor", "directory_listing", "information_disclosure" ], "prerequisites": [ "broken_access_control", "input_validation", "information_disclosure" ], "refs": [ "https://owasp.org/www-community/attacks/Forced_browsing" ], "bad_code": "// No ownership check — any user can download any invoice\npublic function download(string \\$filename): Response {\n return response()->file(storage_path(\"invoices/\\$filename\"));\n}", "good_code": "// Use ID, not filename — enforce ownership\npublic function download(int \\$invoiceId): Response {\n \\$invoice = Invoice::findOrFail(\\$invoiceId);\n\n if (\\$invoice->user_id !== auth()->id()) abort(403);\n\n return response()->file(\n storage_path(\"invoices/{\\$invoice->stored_filename}\"),\n ['Content-Disposition' => \"attachment; filename=invoice-\\$invoiceId.pdf\"]\n );\n}", "quick_fix": "Every URL must verify authorisation, not just authentication — never rely on obscurity (hidden links, GUIDs) as an access control mechanism", "severity": "high", "effort": "medium", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/forced_browsing", "html_url": "https://codeclaritylab.com/glossary/forced_browsing", "json_url": "https://codeclaritylab.com/glossary/forced_browsing.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Forced Browsing](https://codeclaritylab.com/glossary/forced_browsing) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/forced_browsing" } } } }