CWE-425: Direct Request ('Forced Browsing')

Description

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.

Example Vulnerable Codes

Example - 1

If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.

http://somesite.com/someapplication/admin.jsp

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Go to
CWE-288: Authentication Bypass Using an Alternate Path or Channel
Go to
CWE-424: Improper Protection of Alternate Path
Go to
CWE-471: Modification of Assumed-Immutable Data (MAID)
Go to
CWE-862: Missing Authorization
Go to

Visit http://cwe.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Nov. 05, 2024 11:28