Insecure File Management
Fixing Insecure File Management
About Forceful Browsing
What is Forceful Browsing?
Forceful browsing, also known as forceful browsing attack, is a type of web application attack that involves accessing files or directories on a web server that are not intended to be publicly accessible.
In a forceful browsing attack, an attacker attempts to bypass web application security controls and gain unauthorized access to sensitive files or directories by manipulating the URL or input parameters of the application.
Check out this video for a high-level explanation:
What is the impact of Forceful Browsing?
Forceful browsing can lead to serious consequences. Here are some of the potential impacts:
- Unauthorized access to sensitive data: Forceful browsing can enable attackers to access sensitive data that is not intended to be publicly available. This could include confidential user data, intellectual property, or other sensitive information.
- Compromise of user accounts: Attackers can use forceful browsing to access user accounts, and then steal sensitive data or impersonate the user to launch other attacks.
- System or application compromise: Forceful browsing can also enable attackers to compromise the security of the entire system or application. This could allow the attacker to execute malicious code, modify or delete files, or take other malicious actions.
- Reputation damage: A successful forceful browsing attack can lead to significant reputation damage for the organization responsible for the vulnerable system or application. This can cause loss of trust and potential legal and financial liabilities.
How to prevent Forceful Browsing?
Several measures that can be taken to prevent forceful browsing attacks, including:
- Implement access controls: Use access controls, such as authentication and authorization, to restrict user access to sensitive files and directories. This can help prevent unauthorized access to sensitive data.
- Configure file permissions: Properly configure file permissions to prevent unauthorized access to sensitive files and directories. For example, set read, write, and execute permissions only for authorized users or groups.
- Use URL encryption: Encrypt the URLs in the web application to prevent attackers from modifying the URL or input parameters to bypass security controls.
By implementing these measures, you can help prevent forceful browsing attacks and reduce the risk of unauthorized access to sensitive files and data on your system or application.
References
Taxonomies
- OWASP Top 10 - A01 Broken Access Control
- CWE-425: Direct Request ('Forced Browsing')
- CWE-552: Files or Directories Accessible to External Parties
Explanation & Prevention
Related CVEs
Training
Option A: Ensure correct File Permissions
Android apps can define whether a file is world-readable, writable or both. While in some cases this can be an acceptable use case, it can often leak sensitive data.
More information:
Go through the issues that GuardRails identified in the PR/MR.
A vulnerable example is shown below:
SharedPreferences sharedPref = getSharedPreferences("key", MODE_WORLD_READABLE);
SharedPreferences.Editor editor = sharedPref.edit();
editor.putString("username", "administrator");
editor.putString("password", "supersecret");
editor.commit();Make sure that these are not accessible by other apps.
Test it
Ship it 🚢 and relax 🌴
Option B: Don't load files from external storage into WebViews
Loading data from external storage into a WebView doesn't guarantee the integrity of that data. External storage can be modified by any other application on the device. In addition, the getExternalStorageDirectory() method was deprecated in API level 29.
Go through the issues that GuardRails identified in the PR/MR.
Look out for patterns like this:
String baseDir = Environment.getExternalStorageDirectory().getAbsolutePath();
WebView.loadUrl("file://"+baseDir+"dangerZone.html");And make sure that the use case makes sense, otherwise remove the logic, or leverage safer alternatives for accessing the required data.
Test it
Ship it 🚢 and relax 🌴