File:OWASPSanAntonio 2006 05 ForcefulBrowsing Content.pdf

By Forceful Browsing, clients may be able to access pages which should be forbidden. A technique for preventing forceful browsing is introduced. With this technique, you may be assured that clients may only visit pages for which links have been presented.

Granularity may be adjusted for an entire page, as well as for specific page parameters. For example, you may prevent a user from deleting customers altogether, or you may permit a user to delete customer #1, but not customer #2. In addition, a notification system can alert you when users are forceful browsing.

The implementation will be presented using PHP.