CWE - CWE-425: Direct Request ('Forced Browsing') (1.6)

Home > CWE List > CWE- Individual Dictionary Definition (1.6)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-425: Direct Request ('Forced Browsing')

Direct Request ('Forced Browsing')

Weakness ID: 425 (Weakness Base)

Status: Incomplete

Description

Description Summary

The web application fails to adequately enforce appropriate authorization on all restricted URLs, scripts or files.

Extended Description

Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.

Alternate Terms

forced browsing:	The "forced browsing" term could be misinterpreted to include weaknesses such as CSRF or XSS, so its use is discouraged.

Time of Introduction

Architecture and Design
Implementation
Operation

Applicable Platforms

Languages

All

Demonstrative Examples

Example 1

If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.

(Attack)

JSP

http://somesite.com/someapplication/admin.jsp

Observed Examples

Reference	Description
CVE-2004-2144	Bypass authentication via direct request.
CVE-2005-1892	Infinite loop or infoleak triggered by direct requests.
CVE-2004-2257	Bypass auth/auth via direct request.
CVE-2005-1688	Direct request leads to infoleak by error.
CVE-2005-1697	Direct request leads to infoleak by error.
CVE-2005-1698	Direct request leads to infoleak by error.
CVE-2005-1685	Authentication bypass via direct request.
CVE-2005-1827	Authentication bypass via direct request.
CVE-2005-1654	Authorization bypass using direct request.
CVE-2005-1668	Access privileged functionality using direct request.
CVE-2002-1798	Upload arbitrary files via direct request.

Potential Mitigations

Phase	Description
	Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
	Consider using MVC based frameworks such as Struts.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Base	288	Authentication Bypass Using an Alternate Path or Channel	Development Concepts699 Research Concepts (primary)1000
ChildOf	Weakness Class	424	Failure to Protect Alternate Path	Development Concepts (primary)699 Research Concepts1000
CanPrecede	Weakness Base	471	Modification of Assumed-Immutable Data (MAID)	Research Concepts1000
ChildOf	Category	721	OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access	Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOf	Category	722	OWASP Top Ten 2004 Category A1 - Unvalidated Input	Weaknesses in OWASP Top Ten (2004)711
ChildOf	Category	723	OWASP Top Ten 2004 Category A2 - Broken Access Control	Weaknesses in OWASP Top Ten (2004) (primary)711
RequiredBy	Compound Element: Composite	98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')	Research Concepts1000
PeerOf	Weakness Base	288	Authentication Bypass Using an Alternate Path or Channel	Research Concepts1000

Relationship Notes

Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection.

Theoretical Notes

"Forced browsing" is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically "authentication bypass" or "path disclosure," although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Direct Request aka 'Forced Browsing'
OWASP Top Ten 2007	A10	CWE More Specific	Failure to Restrict URL Access
OWASP Top Ten 2004	A1	CWE More Specific	Unvalidated Input
OWASP Top Ten 2004	A2	CWE More Specific	Broken Access Control

Content History

Submissions
Submission Date	Submitter	Organization	Source
	PLOVER		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Sean Eidemiller	Cigital	External
2008-07-01	added/updated demonstrative examples
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Potential Mitigations, Time of Introduction
2008-08-15		Veracode	External
2008-08-15	Suggested OWASP Top Ten 2004 mapping
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Alternate Terms, Relationships, Relationship Notes, Taxonomy Mappings, Theoretical Notes
2008-10-14	CWE Content Team	MITRE	Internal
2008-10-14	updated Description

Page Last Updated: October 29, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us