Direct Request ('Forced Browsing')| ID: 425 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Base |
Description
The web application does not adequately enforce appropriate
authorization on all restricted URLs, scripts, or files.
Extended DescriptionWeb applications susceptible to direct request attacks often make the
false assumption that such resources can only be reached through a given
navigation path and so only apply authorization at certain points in the
path.
Applicable PlatformsLanguage Class: Language-independent
Time Of Introduction
- Architecture and Design
- Implementation
- Operation
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| ConfidentialityIntegrityAvailabilityAccess_Control | Read application
dataModify application
dataExecute unauthorized code or
commandsGain privileges / assume
identity | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and DesignOperation | | Apply appropriate access control authorizations for each access to all
restricted URLs, scripts or files. | | |
| Architecture and Design | | Consider using MVC based frameworks such as Struts. | | |
RelationshipsOverlaps Modification of Assumed-Immutable Data (MAID), authorization
errors, container errors; often primary to other weaknesses such as XSS and
SQL injection.
| Related CWE | Type | View | Chain |
|---|
| CWE-425 ChildOf CWE-898 | Category | CWE-888 | |
Demonstrative Examples (Details)
- If forced browsing is possible, an attacker may be able to directly
access a sensitive page by entering a URL similar to the
following.
Observed Examples
- CVE-2004-2144 : Bypass authentication via direct request.
- CVE-2005-1892 : Infinite loop or infoleak triggered by direct requests.
- CVE-2004-2257 : Bypass auth/auth via direct request.
- CVE-2005-1688 : Direct request leads to infoleak by error.
- CVE-2005-1697 : Direct request leads to infoleak by error.
- CVE-2005-1698 : Direct request leads to infoleak by error.
- CVE-2005-1685 : Authentication bypass via direct request.
- CVE-2005-1827 : Authentication bypass via direct request.
- CVE-2005-1654 : Authorization bypass using direct request.
- CVE-2005-1668 : Access privileged functionality using direct request.
- CVE-2002-1798 : Upload arbitrary files via direct request.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Direct Request aka 'Forced Browsing' | |
| OWASP Top Ten 2007 | A10 | Failure to Restrict URL Access | CWE_More_Specific |
| OWASP Top Ten 2004 | A1 | Unvalidated Input | CWE_More_Specific |
| OWASP Top Ten 2004 | A2 | Broken Access Control | CWE_More_Specific |
| WASC | 34 | Predictable Resource Location | |
References:None
