Support
Scans

Forced Browsing

This document is for:
Invicti Standard, Invicti Enterprise On-Premises, Invicti Enterprise On-Demand

Forced Browsing is a security check in which the web vulnerability scanner attempts to itemize and access resources that are not linked from the web application, but are still accessible. If resources such as backup files and admin portals are discovered, they could assist an attacker to craft an attack against your website.

Some sites may drop the current user session when you request a non-existing resource or redirect you to the login page.

The Forced Browsing attacks in Invicti are handled by the Resource Finder module.

The Forced Browsing check is enabled by default.

How to Disable the Forced Browsing Security Check in Invicti Enterprise
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Policies > New Scan Policy.
  3. Select Security Checks, then the Resource Finder drop-down.

Forced Browsing in Invicti Enterprise

  1. Deselect the Forced Browsing checkbox. (You can also specify a Resource Finder Limit.)
  2. Select Save.

You can customize a list of keywords for forced browsing. To do so, you can either update the existing list that Invicti Enterprise has or replace it.

  1. From the main menu, select Policies > New Scan Policy
  2. Select Security Checks, then the Resource Finder drop-down.
  3. In the Wordlist Entries field, enter new entries and/or edit the existing entries.
  4. Select Save.

You can also take similar actions in Invicti Standard.

How to Disable the Forced Browsing Security Check in Invicti Standard
  1. Open Invicti Standard.
  2. Select Scan Policy Editor in the Home tab.
  3. Select Security Checks, then the Resource Finder drop-down.

Forced Browsing in Invicti Standard

  1. Deselect the Forced Browsing checkbox. (You can also specify a Resource Finder Limit.)
  2. Select OK.

You can customize a list of keywords for forced browsing. To do so, you can either update the existing list that Invicti has or replace it.

How to Add Your Own Forced Browsing Keyword List in Invicti Standard
  1. Open Invicti Standard.
  2. From the Home tab, select Scan Policy Editor.
  3. Select Security Checks, then the Resource Finder drop-down
  4. Select Forced Browsing.
  5. Select ellipsis in the Wordlist Entries to edit the list.

You can edit Wordlist Entries in Invicti Standard

  1. In the String Collection Editor, enter the relevant strings.
  2. Select OK.