CWE-425: Direct Request ('Forced Browsing')
Description
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Submission Date :
July 19, 2006, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
MITRE
Extended Description
Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.
Example - 1
If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.
http://somesite.com/someapplication/admin.jsp
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-288: Authentication Bypass Using an Alternate Path or Channel
CWE-424: Improper Protection of Alternate Path
CWE-471: Modification of Assumed-Immutable Data (MAID)
CWE-862: Missing Authorization
Visit http://cwe.mitre.org/ for more details.