{"@ID": "425", "@Name": "Direct Request ('Forced Browsing')", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "@Diagram": "/data/images/CWE-425-Diagram.png", "Description": "The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "862", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "862", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "288", "@View_ID": "1000"}, {"@Nature": "ChildOf", "@CWE_ID": "424", "@View_ID": "1000"}, {"@Nature": "CanPrecede", "@CWE_ID": "471", "@View_ID": "1000"}, {"@Nature": "CanPrecede", "@CWE_ID": "98", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Class": "Web Based", "@Prevalence": "Undetermined"}, {"@Name": "Web Server", "@Prevalence": "Undetermined"}]}, "Alternate_Terms": {"Alternate_Term": {"Term": "forced browsing", "Description": "The \"forced browsing\" term could be misinterpreted to include weaknesses such as CSRF or XSS, so its use is discouraged."}}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Implementation", "Note": "Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path."}, {"Phase": "Operation"}]}, "Common_Consequences": {"Consequence": {"Scope": ["Confidentiality", "Integrity", "Availability", "Access Control"], "Impact": ["Read Application Data", "Modify Application Data", "Execute Unauthorized Code or Commands", "Gain Privileges or Assume Identity"]}}, "Potential_Mitigations": {"Mitigation": [{"Phase": ["Architecture and Design", "Operation"], "Description": "Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files."}, {"Phase": "Architecture and Design", "Description": "Consider using MVC based frameworks such as Struts."}]}, "Demonstrative_Examples": {"Demonstrative_Example": {"Intro_Text": "If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.", "Example_Code": {"@Nature": "Attack", "@Language": "JSP", "xhtml:div": "http://somesite.com/someapplication/admin.jsp"}}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2022-29238", "Description": "Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories.", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-29238"}, {"Reference": "CVE-2004-2144", "Description": "Bypass authentication via direct request.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-2144"}, {"Reference": "CVE-2005-1892", "Description": "Infinite loop or infoleak triggered by direct requests.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-1892"}, {"Reference": "CVE-2004-2257", "Description": "Bypass auth/auth via direct request.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-2257"}, {"Reference": "CVE-2005-1688", "Description": "Direct request leads to infoleak by error.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-1688"}, {"Reference": "CVE-2005-1697", "Description": "Direct request leads to infoleak by error.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-1697"}, {"Reference": "CVE-2005-1698", "Description": "Direct request leads to infoleak by error.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-1698"}, {"Reference": "CVE-2005-1685", "Description": "Authentication bypass via direct request.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-1685"}, {"Reference": "CVE-2005-1827", "Description": "Authentication bypass via direct request.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-1827"}, {"Reference": "CVE-2005-1654", "Description": "Authorization bypass using direct request.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-1654"}, {"Reference": "CVE-2005-1668", "Description": "Access privileged functionality using direct request.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-1668"}, {"Reference": "CVE-2002-1798", "Description": "Upload arbitrary files via direct request.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1798"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "Direct Request aka 'Forced Browsing'"}, {"@Taxonomy_Name": "OWASP Top Ten 2007", "Entry_ID": "A10", "Entry_Name": "Failure to Restrict URL Access", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "OWASP Top Ten 2004", "Entry_ID": "A1", "Entry_Name": "Unvalidated Input", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "OWASP Top Ten 2004", "Entry_ID": "A2", "Entry_Name": "Broken Access Control", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "WASC", "Entry_ID": "34", "Entry_Name": "Predictable Resource Location"}, {"@Taxonomy_Name": "Software Fault Patterns", "Entry_ID": "SFP30", "Entry_Name": "Missing endpoint authentication"}]}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "127"}, {"@CAPEC_ID": "143"}, {"@CAPEC_ID": "144"}, {"@CAPEC_ID": "668"}, {"@CAPEC_ID": "87"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": [{"@Type": "Relationship", "#text": "Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection."}, {"@Type": "Theoretical", "#text": "\"Forced browsing\" is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically \"authentication bypass\" or \"path disclosure,\" although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables."}]}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Sean Eidemiller", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "added/updated demonstrative examples"}, {"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Potential_Mitigations, Time_of_Introduction"}, {"Modification_Organization": "Veracode", "Modification_Date": "2008-08-15", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "Suggested OWASP Top Ten 2004 mapping"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Alternate_Terms, Relationships, Relationship_Notes, Taxonomy_Mappings, Theoretical_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-10-14", "Modification_Version": "1.0.1", "Modification_ReleaseDate": "2008-10-14", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-02-16", "Modification_Version": "1.8", "Modification_ReleaseDate": "2010-02-16", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Applicable_Platforms, Description, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Related_Attack_Patterns, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Modes_of_Introduction, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2018-03-27", "Modification_Version": "3.1", "Modification_ReleaseDate": "2018-03-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Applicable_Platforms, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-07-20", "Modification_Version": "4.5", "Modification_ReleaseDate": "2021-07-20", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Observed_Examples, Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Modes_of_Introduction, Relationships, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Relationships, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2026-04-30", "Modification_Version": "4.20", "Modification_ReleaseDate": "2026-04-30", "Modification_Comment": "updated Description, Diagram, Modes_of_Introduction, Observed_Examples"}]}}
