CWE
Home > CWE List > CWE-425 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-425 Individual Dictionary Definition (Draft 9)

Direct Request ('Forced Browsing')
Weakness ID
Status: Incomplete

425 (Weakness Base)

Description

Summary

The web application fails to adequately enforce appropriate authorization on all restricted URLs, scripts or files. Such web applications often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.

Potential Mitigations

Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.

Observed Examples
ReferenceDescription
CVE-2004-2144Bypass authentication via direct request.
CVE-2005-1892Infinite loop or infoleak triggered by direct requests.
CVE-2004-2257Bypass auth/auth via direct request.
CVE-2005-1688Direct request leads to infoleak by error.
CVE-2005-1697Direct request leads to infoleak by error.
CVE-2005-1698Direct request leads to infoleak by error.
CVE-2005-1685Authentication bypass via direct request.
CVE-2005-1827Authentication bypass via direct request.
CVE-2005-1654Authorization bypass using direct request.
CVE-2005-1668Access privileged functionality using direct request.
CVE-2002-1798Upload arbitrary files via direct request.
Context Notes

Terminology Note: the "forced browsing" term could be misinterpreted to include weaknesses such as CSRF or XSS, so its use is discouraged.

"Forced browsing" is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable; the application does not verify that the first step was performed. The consequence is typically "authentication bypass" or "path disclosure," although it can expose all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.

overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection.

Relationships
NatureTypeIDName
ChildOfWeakness VariantWeakness VariantWeakness Variant288Authentication Bypass by Alternate Path/Channel
ChildOfWeakness ClassWeakness ClassWeakness Class424Failure to Protect Alternate Path
CanAlsoBeWeakness BaseWeakness BaseWeakness Base471Modification of Assumed-Immutable Data (MAID)
ChildOfViewView629
IsRequiredByCompound Element: CompositeCompound Element: Composite98Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion')
Source Taxonomies

PLOVER - Direct Request aka 'Forced Browsing

Applicable Platforms

All

Related Attack Patterns
CAPEC-IDAttack Pattern Name
87Forceful Browsing
Page Last Updated: April 22, 2008