Forced Browsing vs. Command Injection: Why AppSec Training for Developers Matters

5 Things Hackers Love: The Hacker Mindset

Forced Browsing vs. Command Injection: Why AppSec Training for Developers Matters


The numbers are dire. Supply chain attacks double in 2021. Data breaches cost $4.24 million, on average. 483 wallets ransacked for $31 million.

We know that employees with low security awareness cause most cyber damage, but what about other attack vectors? And who should understand the difference between forced browsing vs. command injection attacks?

5 Things Hackers Love: The Hacker Mindset

Web Application, API Attacks Up Sharply

Web application attacks comprise 26% of all breaches. Application-layer DDoS attacks are up 72% year over year.

As enterprises move more of their data, code and operations to the cloud, attacks against those assets are increasing dramatically.  API attacks are up a stunning 686%.

Long story short, there are many more applications than trained developers to defend them. 

In this post, we’ll examine some of the most common application vulnerabilities according to the Open Web Application Security Project (OWASP).

The OWASP Top 10 updates every three to four years and covers the top 10 application security risks. 

Forced Browsing vs. Command Injection + 6 More AppSec Vulnerabilities

SQL Injection

SQL Injection is the OG of application layer attacks, and still packs a punch. This one vulnerability accounted for 8.1% of all data breaches in 2022.

SQL is a programming language allowing threat actors to “talk” to large databases using a language not unlike English.

SQL Injection can query, operate, and administer data systems. It can allow threat actors to authenticate without supplying a correct password.

Once in, users can read sensitive data from the back-end database, modify, or delete data and issue other commands.

Forced Browsing vs. Command Injection: Why AppSec Training for Developers Matters

Command Injection

Command Injection, also called Shell Injection, is similar to a SQL injection. But instead of injecting into a SQL query, a threat actor injects a command into the OS. According to OWASP, Command Injection’s goal is to execute arbitrary commands on the host operating system via a vulnerable application.

Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. The attacker-supplied OS commands usually execute with the vulnerable application’s privileges.

In other words, Command Injection attacks inject OS commands. This allows hackers to compromise the entire application, take full control of the server – even attack other systems within the organization.

Forced Browsing

Not what it sounds like. Forced Browsing, also called Directory Enumeration, is a brute force attack technique to gain access to restricted pages or other sensitive resources in a web server. It does this by forcing or guessing the URL directly.

If the restricted URLs, scripts, or files lack appropriate authorization, these resources can be vulnerable to forced browsing attacks. This would hypothetically allow hackers to access restricted files and view sensitive information.

XML Entity Injection

XML External Entity (XXE) Injection is a web security vulnerability allowing an attacker to interfere with an application’s processing of XML data.

In other words, targeting applications that transmit data between browser and server in XML format. By intercepting and modifying the data, an attacker can exploit potentially dangerous features of standard XML libraries.

These would include the parsing and loading of external entities to gain access to the server’s filesystem or interaction with backend systems that the application has access to. Sometimes an attacker can escalate an XXE attack to perform server-side request forgery (SSRF) attacks.

Reflected Cross Site Scripting

Reflected Cross-site Scripting (XSS) is a client-side code injection vulnerability that allows malicious JavaScript payloads to be injected within a user-supplied input, reflecting back within the web server’s response and executed on the client-side by the victim’s web browser.

Since the entire attack completes in a single request and response, it is known as a Reflected Cross-site Scripting vulnerability.

Components with Known Vulnerabilities

Components with Known Vulnerabilities allow attackers to simply make use of automated scan tools or perform manual analysis of the application to identify and easily exploit security flaws within applications.

Because third party libraries and frameworks usually execute with full privileges, this attack becomes even more possible.

According to Siemba, famous Components with Known Vulnerabilities victims include:

  • Equifax (a US credit bureau organization)- breach due to unpatched Apache Struts web framework CVE-2017-5638
  • Mossack Fonesca (Panama Papers law firm) breach- unpatched version of Drupal CMS used
  • Ubuntu forums breach – Unpatched Forumrunner add-on

Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

CSRF attacks specifically target state-changing requests, not theft of data since the attacker has no way to see the response to the forged request.

According to Imperva this attack can be particularly devastating, resulting in unauthorized fund transfers, damaged client relationships and lost passwords.


Clickjacking is a technique used by threat actors to “steal clicks” by tricking users into clicking on malicious links. This class of attacks overlays a legitimate decoy user interface over a hidden application.

In other words, users might think they’re on a real Wells Fargo site but in effect they’ve landed on a dangerous lookalike site that’s very much not Wells Fargo.

Before figuring this out, they’re tricked into clicking a button or link in the UI they see, performing an unwanted action in the hidden application.

The most common clickjacking attack uses invisible iframes and prevention is often based on restricting the framing capability for websites.

Forced Browsing vs. Command Injection: Devs Must Know the Difference

With the migration of systems, software, and apps to the cloud, devs who can properly integrate security into their coding have never been more in demand.

Who else would understand the bigger threat: Forced Browsing vs. Command Injection? XML Entity Injection or Reflected Cross Site Scripting?

Unlike other AppSec programs, Application Security Training by ThriveDX (formerly Kontra) abounds with challenging yet teachable real-life scenarios that will integrate security best practices into your code from the bottom-up. 

For more information on ThriveDX enterprise security training programs, please visit us at

Digital Skills Training and EdTech Solutions | ThriveDX

Gyan Chawdhary is a world renowned Application Security and Development expert. After previously founding Codebashing, which was acquired by Checkmarx in 2018, Gyan shifted focus to inventing a new disruptive technology to successfully train developers in cybersecurity and apply it in their code, this is how his latest company Kontra was formed. In 2022, Kontra was acquired by ThriveDX’s Enterprise Division and Gyan remains on as an Advisor with the company. Some of Gyan’s former customers include the New York Stock Exchange, FitBit and Microsoft.

Protect Your Organization from Phishing


Explore More Resources

GitLab Inc. Increases Security Awareness for Development Teams Through New Partnership with Kontra's Cutting-Edge
While digital threats lurk around every corner and blur the lines between attacker and
Explore Ben Kapon's article on merging physical and digital security in SOCs, highlighting the
GitLab Inc. Increases Security Awareness for Development Teams Through New Partnership with Kontra's Cutting-Edge

Your Trusted Source for Cyber Education

Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.

Almost There.

Are you ready to gain hands-on experience with the IT industry’s top tools, 
techniques, and technologies?

Take the first step and download the syllabus.

By clicking "Request Info," I consent to be contacted by ThriveDX, including by email, calls, and text messages, (including by autodialer or prerecorded messages) about my educational interests. I understand that my consent to be contacted is not required to enroll. Msg. and data rates may apply.

Contact (212) 448-4485 for more information. I also agree to the Terms of Use and Privacy Policy.

Download Syllabus

Let’s Talk

Download Syllabus

Apprenticeship Program

Apprenticeship Program

Let’s Talk

Get Your Free Trial

Access our Free OWASP Top 10 for Web

Enter your information below to join our referral program and gain FREE access for 14 days

Follow the steps below to get FREE access to our OWASP top 10 for Web course for 14 days

  1. Simply copy the LinkedIn message below
  2. Post the message on your LinkedIn profile
  3. We will contact you as soon as possible on LinkedIn and send you an invite to access our OWASP Top 10 for Web course


Make sure you confirm the tag @ThriveDX Enterprise after pasting the text below in your LinkedIn to avoid delays in getting access to the course.
tagging ThriveDX Enterprise on LinkedIn

Ready to Share?

Take me to now >

Contact ThriveDX Partnerships

[forminator_form id=”10629″]
Skip to content