CWE-425

BaseIncomplete

View on MITRE

Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

79 linked vulnerabilities

6 related weaknesses

Extended Description

Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.

Architecture and Design

Operation

Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.

Architecture and Design

Consider using MVC based frameworks such as Struts.

Confidentiality

Integrity

Availability

Access Control

Read Application Data

Modify Application Data

Execute Unauthorized Code or Commands

Gain Privileges or Assume Identity

Modes of Introduction

Implementation

Operation

Related Weaknesses

CWE-862ChildOf CWE-862ChildOf CWE-288ChildOf CWE-424ChildOf CWE-471CanPrecede CWE-98CanPrecede

Example CVEs (13)

CVE-2022-29238

Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories.

CVE-2022-23607

Python-based HTTP library did not scope cookies to a particular domain such that "supercookies" could be sent to any domain on redirect.

CVE-2004-2144

Bypass authentication via direct request.

CVE-2005-1892

Infinite loop or infoleak triggered by direct requests.

CVE-2004-2257

Bypass auth/auth via direct request.

External Links

MITRE CWE Database