Some sites may drop the current user session when you request a non-existing resource, or redirect you to the login page. Forced Browsing (Common Directories) is a security check in which the web vulnerability scanner attempts to itemize and access resources that are not linked from the web application, but are still accessible. If resources such as backup files and admin portals are discovered, they could assist an attacker to craft an attack against your website.
The Forced Browsing attacks in Netsparker are handled by the Resource Finder module.
By default, the Common Directories check is enabled.
How to Disable the Common Directories Security Check in Netsparker Enterprise
- Log in to Netsparker Enterprise.
- Click Policies, then New Scan Policy. The New Scan Policy window is displayed.
- Click Security Checks.
- Deselect the Common Directories checkbox.
- Click Save.
How to Disable the Common Directories Security Check in Netsparker Standard
- Open Netsparker Standard.
- Click the Scan Policy Editor. The Scan Policy Editor dialog is displayed.
- Deselect the Common Directories checkbox. (You can also specify a Resource Finder Limit.)
- Click OK.
How to Add Your Own Forced Browsing Keyword List
- To add a list of keywords for forced browsing you can either update the existing list that Netsparker has or replace it. The list can be found in the following file: My Documents\Netsparker\Resources\Configuration\Folders.txt
- Once you update or replace the file, restart Netsparker Desktop so it can load the new file.