logo

Direct Request ('Forced Browsing')

Incomplete Base
Structure: Simple
Description

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Extended Description

Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.
Common Consequences 1
Scope: ConfidentialityIntegrityAvailabilityAccess Control

Impact: Read Application DataModify Application DataExecute Unauthorized Code or CommandsGain Privileges or Assume Identity
Potential Mitigations 2
Phase: Architecture and DesignOperation
Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
Phase: Architecture and Design
Consider using MVC based frameworks such as Struts.
Demonstrative Examples 1
If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.

Code Example:

Attack
JSP
jsp
Observed Examples 13
CVE-2022-29238Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories.
CVE-2022-23607Python-based HTTP library did not scope cookies to a particular domain such that "supercookies" could be sent to any domain on redirect.
CVE-2004-2144Bypass authentication via direct request.
CVE-2005-1892Infinite loop or infoleak triggered by direct requests.
CVE-2004-2257Bypass auth/auth via direct request.
CVE-2005-1688Direct request leads to infoleak by error.
CVE-2005-1697Direct request leads to infoleak by error.
CVE-2005-1698Direct request leads to infoleak by error.
CVE-2005-1685Authentication bypass via direct request.
CVE-2005-1827Authentication bypass via direct request.
CVE-2005-1654Authorization bypass using direct request.
CVE-2005-1668Access privileged functionality using direct request.
CVE-2002-1798Upload arbitrary files via direct request.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Web Based : Undetermined
Modes of Introduction
Implementation
Operation
Related Attack Patterns
Alternate Terms

forced browsing

The "forced browsing" term could be misinterpreted to include weaknesses such as CSRF or XSS, so its use is discouraged.
Related Weaknesses
ChildOf: Missing Authorization (CWE-862)
ChildOf: Missing Authorization (CWE-862)
ChildOf: Authentication Bypass Using an Alternate Path or Channel (CWE-288)
ChildOf: Improper Protection of Alternate Path (CWE-424)
CanPrecede: Modification of Assumed-Immutable Data (MAID) (CWE-471)
CanPrecede: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') (CWE-98)
Taxonomy Mapping
  • PLOVER
  • OWASP Top Ten 2007
  • OWASP Top Ten 2004
  • OWASP Top Ten 2004
  • WASC
  • Software Fault Patterns
Notes
RelationshipOverlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection.
Theoretical"Forced browsing" is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically "authentication bypass" or "path disclosure," although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.