CWE-425
Direct Request ('Forced Browsing')
AI Translation Available
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Status
incomplete
Abstraction
base
Affected Platforms
Web Based
Web Server
Extended Description
AI Translation
Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.
Technical Details
AI Translation
Common Consequences
confidentiality
integrity
availability
access control
Impacts
read application data
modify application data
execute unauthorized code or commands
gain privileges or assume identity
Potential Mitigations
Phases:
architecture and design
operation
Descriptions:
•
Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
•
Consider using MVC based frameworks such as Struts.