CWE-425: Direct Request ('Forced Browsing')
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
扩展描述
Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.
常见后果
影响范围: Confidentiality Integrity Availability Access Control
技术影响: Read Application Data Modify Application Data Execute Unauthorized Code or Commands Gain Privileges or Assume Identity
潜在缓解措施
阶段: Architecture and Design Operation
描述: Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
阶段: Architecture and Design
描述: Consider using MVC based frameworks such as Struts.
观察示例
参考: CVE-2022-29238
Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories.
参考: CVE-2022-23607
Python-based HTTP library did not scope cookies to a particular domain such that "supercookies" could be sent to any domain on redirect.
参考: CVE-2004-2144
Bypass authentication via direct request.
参考: CVE-2005-1892
Infinite loop or infoleak triggered by direct requests.
参考: CVE-2004-2257
Bypass auth/auth via direct request.
参考: CVE-2005-1688
Direct request leads to infoleak by error.
参考: CVE-2005-1697
Direct request leads to infoleak by error.
参考: CVE-2005-1698
Direct request leads to infoleak by error.
参考: CVE-2005-1685
Authentication bypass via direct request.
参考: CVE-2005-1827
Authentication bypass via direct request.
参考: CVE-2005-1654
Authorization bypass using direct request.
参考: CVE-2005-1668
Access privileged functionality using direct request.
参考: CVE-2002-1798
Upload arbitrary files via direct request.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
| Operation | - |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Direct Request aka 'Forced Browsing' | - |
| OWASP Top Ten 2007 | A10 | Failure to Restrict URL Access | CWE More Specific |
| OWASP Top Ten 2004 | A1 | Unvalidated Input | CWE More Specific |
| OWASP Top Ten 2004 | A2 | Broken Access Control | CWE More Specific |
| WASC | 34 | Predictable Resource Location | - |
| Software Fault Patterns | SFP30 | Missing endpoint authentication | - |
关键信息
CWE ID: CWE-425
抽象级别: Base
结构: Simple
状态: Incomplete