During a black-box web application assessment you have already completed an automated crawl and manually followed every link visible in the HTML after authentication. You believe additional pages might only be reachable through JavaScript or by guessing predictable paths. According to the web application hacking methodology, which technique should you apply next to reveal these undisclosed resources?
Attempt blind time-based SQL injection on the login form to bypass authentication controls.
Enumerate the web server's installed patches to identify any outdated modules for exploitation.
Launch a forced-browsing scan that brute-forces common directory and file names while replaying the authenticated session.
Probe each discovered parameter with a simple reflected XSS payload such as <script>alert(1)</script>.
The methodology recommends performing forced browsing (also called content or directory brute forcing) after the initial crawl when you suspect there are unlinked or script-generated resources. By sending large word-list-based requests and replaying valid session cookies, the tester can discover hidden files, backup copies, and workflow-specific URLs that normal crawling misses. Testing for reflected XSS (option 2) or SQL injection (option 3) are exploitation steps that assume you have already identified suitable inputs. Reviewing server patch levels (option 4) relates to web-server hardening, not to enumerating additional application content. Therefore, initiating a forced-browsing or path-bruteforce phase is the correct next action.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is forced browsing in web application assessments?
Open an interactive chat with Bash
How does JavaScript hide or dynamically generate web application resources?
Open an interactive chat with Bash
Why is it important to replay authenticated session cookies during forced browsing scans?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Web Application Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .