Direct Request ('Forced Browsing') |
Weakness ID: 425 (Weakness Base) | Status: Incomplete |
Description Summary
Extended Description
Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.
forced browsing: | The "forced browsing" term could be misinterpreted to include weaknesses such as CSRF or XSS, so its use is discouraged. |
---|
Example 1
If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.
Reference | Description |
---|---|
CVE-2004-2144 | Bypass authentication via direct request. |
CVE-2005-1892 | Infinite loop or infoleak triggered by direct requests. |
CVE-2004-2257 | Bypass auth/auth via direct request. |
CVE-2005-1688 | Direct request leads to infoleak by error. |
CVE-2005-1697 | Direct request leads to infoleak by error. |
CVE-2005-1698 | Direct request leads to infoleak by error. |
CVE-2005-1685 | Authentication bypass via direct request. |
CVE-2005-1827 | Authentication bypass via direct request. |
CVE-2005-1654 | Authorization bypass using direct request. |
CVE-2005-1668 | Access privileged functionality using direct request. |
CVE-2002-1798 | Upload arbitrary files via direct request. |
Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files. |
Consider using MVC based frameworks such as Struts. |
Nature | Type | ID | Name | View(s) this relationship pertains to![]() |
---|---|---|---|---|
ChildOf | ![]() | 288 | Authentication Bypass Using an Alternate Path or Channel | Development Concepts699 Research Concepts (primary)1000 |
ChildOf | ![]() | 424 | Failure to Protect Alternate Path | Development Concepts (primary)699 Research Concepts1000 |
ChildOf | ![]() | 721 | OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access | Weaknesses in OWASP Top Ten (2007) (primary)629 |
ChildOf | ![]() | 722 | OWASP Top Ten 2004 Category A1 - Unvalidated Input | Weaknesses in OWASP Top Ten (2004)711 |
ChildOf | ![]() | 723 | OWASP Top Ten 2004 Category A2 - Broken Access Control | Weaknesses in OWASP Top Ten (2004) (primary)711 |
CanPrecede | ![]() | 98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') | Research Concepts1000 |
CanPrecede | ![]() | 471 | Modification of Assumed-Immutable Data (MAID) | Research Concepts1000 |
PeerOf | ![]() | 288 | Authentication Bypass Using an Alternate Path or Channel | Research Concepts1000 |
Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection. |
"Forced browsing" is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically "authentication bypass" or "path disclosure," although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables. |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Direct Request aka 'Forced Browsing' | ||
OWASP Top Ten 2007 | A10 | CWE More Specific | Failure to Restrict URL Access |
OWASP Top Ten 2004 | A1 | CWE More Specific | Unvalidated Input |
OWASP Top Ten 2004 | A2 | CWE More Specific | Broken Access Control |
WASC | 34 | Predictable Resource Location |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
87 | Forceful Browsing |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Sean Eidemiller | Cigital | External | |
added/updated demonstrative examples | ||||
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-08-15 | Veracode | External | ||
Suggested OWASP Top Ten 2004 mapping | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Alternate Terms, Relationships, Relationship Notes, Taxonomy Mappings, Theoretical Notes | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Description |