CWE-425 Detail

CWE-425

Direct Request ('Forced Browsing')
Incomplete
2006-07-19 00:00 +00:00
2023-06-29 00:00 +00:00

Alerte pour un CWE

Stay informed of any changes for a specific CWE.
Alert management

Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Extended Description

Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.

Informations

Modes Of Introduction

Implementation
Operation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Technologies

Class: Web Based (Undetermined)

Common Consequences

Scope Impact Likelihood
Confidentiality
Integrity
Availability
Access Control
Read Application Data, Modify Application Data, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity

Observed Examples

Reference Description
CVE-2022-29238Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories.
CVE-2022-23607Python-based HTTP library did not scope cookies to a particular domain such that "supercookies" could be sent to any domain on redirect.
CVE-2004-2144Bypass authentication via direct request.
CVE-2005-1892Infinite loop or infoleak triggered by direct requests.
CVE-2004-2257Bypass auth/auth via direct request.
CVE-2005-1688Direct request leads to infoleak by error.
CVE-2005-1697Direct request leads to infoleak by error.
CVE-2005-1698Direct request leads to infoleak by error.
CVE-2005-1685Authentication bypass via direct request.
CVE-2005-1827Authentication bypass via direct request.
CVE-2005-1654Authorization bypass using direct request.
CVE-2005-1668Access privileged functionality using direct request.
CVE-2002-1798Upload arbitrary files via direct request.

Potential Mitigations

Phases : Architecture and Design // Operation
Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
Phases : Architecture and Design
Consider using MVC based frameworks such as Struts.

Vulnerability Mapping Notes

Rationale : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Related Attack Patterns

CAPEC-ID Attack Pattern Name
CAPEC-127 Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-143 Detect Unpublicized Web Pages
An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to information that the targeted site did not intend to make public.
CAPEC-144 Detect Unpublicized Web Services
An adversary searches a targeted web site for web services that have not been publicized. This attack can be especially dangerous since unpublished but available services may not have adequate security controls placed upon them given that an administrator may believe they are unreachable.
CAPEC-668 Key Negotiation of Bluetooth Attack (KNOB)
An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication.
CAPEC-87 Forceful Browsing
An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.

Notes

Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection.
"Forced browsing" is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically "authentication bypass" or "path disclosure," although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.

Submission

Name Organization Date Date Release Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Name Organization Date Comment
Sean Eidemiller Cigital 2008-07-01 +00:00 added/updated demonstrative examples
Eric Dalci Cigital 2008-07-01 +00:00 updated Potential_Mitigations, Time_of_Introduction
Veracode 2008-08-15 +00:00 Suggested OWASP Top Ten 2004 mapping
CWE Content Team MITRE 2008-09-08 +00:00 updated Alternate_Terms, Relationships, Relationship_Notes, Taxonomy_Mappings, Theoretical_Notes
CWE Content Team MITRE 2008-10-14 +00:00 updated Description
CWE Content Team MITRE 2010-02-16 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-03-29 +00:00 updated Applicable_Platforms, Description, Relationships
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Relationships
CWE Content Team MITRE 2012-05-11 +00:00 updated Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-11-08 +00:00 updated Modes_of_Introduction, Relationships
CWE Content Team MITRE 2018-03-27 +00:00 updated Relationships
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Applicable_Platforms, Relationships
CWE Content Team MITRE 2021-07-20 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Observed_Examples, Related_Attack_Patterns
CWE Content Team MITRE 2023-04-27 +00:00 updated Modes_of_Introduction, Relationships, Time_of_Introduction
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes