Direct Request ('Forced Browsing')
Weakness ID: 425 (Weakness Base)Status: Incomplete
+ Description

Description Summary

The web application fails to adequately enforce appropriate authorization on all restricted URLs, scripts or files.

Extended Description

Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.

+ Alternate Terms
forced browsing:

The "forced browsing" term could be misinterpreted to include weaknesses such as CSRF or XSS, so its use is discouraged.

+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms



+ Demonstrative Examples

Example 1

If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.

Example Language: JSPĀ
+ Observed Examples
CVE-2004-2144Bypass authentication via direct request.
CVE-2005-1892Infinite loop or infoleak triggered by direct requests.
CVE-2004-2257Bypass auth/auth via direct request.
CVE-2005-1688Direct request leads to infoleak by error.
CVE-2005-1697Direct request leads to infoleak by error.
CVE-2005-1698Direct request leads to infoleak by error.
CVE-2005-1685Authentication bypass via direct request.
CVE-2005-1827Authentication bypass via direct request.
CVE-2005-1654Authorization bypass using direct request.
CVE-2005-1668Access privileged functionality using direct request.
CVE-2002-1798Upload arbitrary files via direct request.
+ Potential Mitigations

Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.

Consider using MVC based frameworks such as Struts.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base288Authentication Bypass Using an Alternate Path or Channel
Development Concepts699
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class424Failure to Protect Alternate Path
Development Concepts (primary)699
Research Concepts1000
ChildOfCategoryCategory721OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access
Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOfCategoryCategory722OWASP Top Ten 2004 Category A1 - Unvalidated Input
Weaknesses in OWASP Top Ten (2004)711
ChildOfCategoryCategory723OWASP Top Ten 2004 Category A2 - Broken Access Control
Weaknesses in OWASP Top Ten (2004) (primary)711
CanPrecedeWeakness BaseWeakness Base98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
Research Concepts1000
CanPrecedeWeakness BaseWeakness Base471Modification of Assumed-Immutable Data (MAID)
Research Concepts1000
PeerOfWeakness BaseWeakness Base288Authentication Bypass Using an Alternate Path or Channel
Research Concepts1000
+ Relationship Notes

Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection.

+ Theoretical Notes

"Forced browsing" is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically "authentication bypass" or "path disclosure," although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERDirect Request aka 'Forced Browsing'
OWASP Top Ten 2007A10CWE More SpecificFailure to Restrict URL Access
OWASP Top Ten 2004A1CWE More SpecificUnvalidated Input
OWASP Top Ten 2004A2CWE More SpecificBroken Access Control
WASC34Predictable Resource Location
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
87Forceful Browsing
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
Suggested OWASP Top Ten 2004 mapping
2008-09-08CWE Content TeamMITREInternal
updated Alternate Terms, Relationships, Relationship Notes, Taxonomy Mappings, Theoretical Notes
2008-10-14CWE Content TeamMITREInternal
updated Description