CWE-425: Direct Request ('Forced Browsing')

Modes of Introduction

Implementation

Operation

Related Weaknesses

CWE-862ChildOf CWE-862ChildOf CWE-288ChildOf CWE-424ChildOf CWE-471CanPrecede CWE-98CanPrecede

Example CVEs (12)

CVE-2022-29238

Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories.

CVE-2004-2144

Bypass authentication via direct request.

CVE-2005-1892

Infinite loop or infoleak triggered by direct requests.

CVE-2004-2257

Bypass auth/auth via direct request.

CVE-2005-1688

Direct request leads to infoleak by error.

External Links

MITRE CWE Database