1. Home
  2. CWE Database
  3. CWE-425
Base · Medium

CWE-425: Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

CWE-425 · Base Level ·12 CVEs ·2 Mitigations

Description

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Potential Impact

Confidentiality, Integrity, Availability, Access Control

Read Application Data, Modify Application Data, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity

Demonstrative Examples

If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.
Attack
http://somesite.com/someapplication/admin.jsp

Mitigations & Prevention

Architecture and DesignOperation

Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.

Architecture and Design

Consider using MVC based frameworks such as Struts.

Real-World CVE Examples

CVE IDDescription
CVE-2022-29238Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in thos
CVE-2004-2144Bypass authentication via direct request.
CVE-2005-1892Infinite loop or infoleak triggered by direct requests.
CVE-2004-2257Bypass auth/auth via direct request.
CVE-2005-1688Direct request leads to infoleak by error.
CVE-2005-1697Direct request leads to infoleak by error.
CVE-2005-1698Direct request leads to infoleak by error.
CVE-2005-1685Authentication bypass via direct request.
CVE-2005-1827Authentication bypass via direct request.
CVE-2005-1654Authorization bypass using direct request.
CVE-2005-1668Access privileged functionality using direct request.
CVE-2002-1798Upload arbitrary files via direct request.

CWE-862: Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

CWE-288: Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authenticati...

CWE-424: Improper Protection of Alternate Path

The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or ...

CWE-471: Modification of Assumed-Immutable Data (MAID)

The product does not properly protect an assumed-immutable element from being modified by an attacker.

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the inp...

Taxonomy Mappings

  • PLOVER: — Direct Request aka 'Forced Browsing'
  • OWASP Top Ten 2007: A10 — Failure to Restrict URL Access
  • OWASP Top Ten 2004: A1 — Unvalidated Input
  • OWASP Top Ten 2004: A2 — Broken Access Control
  • WASC: 34 — Predictable Resource Location
  • Software Fault Patterns: SFP30 — Missing endpoint authentication

Frequently Asked Questions

What is CWE-425?

CWE-425 (Direct Request ('Forced Browsing')) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

How can CWE-425 be exploited?

Attackers can exploit CWE-425 (Direct Request ('Forced Browsing')) to read application data, modify application data, execute unauthorized code or commands, gain privileges or assume identity. This weakness is typically introduced during the Implementation, Operation phase of software development.

How do I prevent CWE-425?

Key mitigations include: Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.

What is the severity of CWE-425?

CWE-425 is classified as a Base-level weakness (Medium abstraction). It has been observed in 12 real-world CVEs.