reside in standard locations. These files may disclose sensitive

information about web application internals, database information,

passwords, machine names, file paths to other sensitive areas, or

possibly contain vulnerabilities. Disclosure of this information is

valuable to an attacker.

Predictable Resource Location is also known as Forced Browsing,

File Enumeration, Directory Enumeration, etc.

Example

Any attacker can make arbitrary file or directory requests to any

publicly available web server. The existence of a resource can be

determined by analyzing the web server HTTP response codes.

There are several of Predictable Resource Location attack variations:

Blind searches for common files and directories

/admin/

/backup/

/logs/

/vulnerable_file.cgi

Adding extensions to existing filename: (/test.asp)

/test.asp.bak

/test.bak

/test

6   L o g i c a l   A t t a c k s

The Logical Attacks section focuses on the abuse or exploitation of a

web application's logic flow. Application logic is the expected

procedural flow used in order to perform a certain action. Password

recovery, account registration, auction bidding, and eCommerce

purchases are all examples of application logic. A web site may

require a user to correctly perform a specific multi step process to

54

Copyright 2004, Web Application Security Consortium. All rights reserved.