CWE-425 直接请求（强制性浏览）

Direct Request ('Forced Browsing')

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: unkown

基本描述

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

扩展描述

Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围	影响	注释
['Confidentiality', 'Integrity', 'Availability', 'Access Control']	['Read Application Data', 'Modify Application Data', 'Execute Unauthorized Code or Commands', 'Gain Privileges or Assume Identity']

可能的缓解方案

['Architecture and Design', 'Operation']

策略:

Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.

Architecture and Design

策略:

Consider using MVC based frameworks such as Struts.

示例代码

例

If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.

attack JSP

http://somesite.com/someapplication/admin.jsp

分析过的案例

标识	说明	链接
CVE-2004-2144	Bypass authentication via direct request.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2144
CVE-2005-1892	Infinite loop or infoleak triggered by direct requests.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1892
CVE-2004-2257	Bypass auth/auth via direct request.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2257
CVE-2005-1688	Direct request leads to infoleak by error.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1688
CVE-2005-1697	Direct request leads to infoleak by error.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1697
CVE-2005-1698	Direct request leads to infoleak by error.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1698
CVE-2005-1685	Authentication bypass via direct request.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1685
CVE-2005-1827	Authentication bypass via direct request.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1827
CVE-2005-1654	Authorization bypass using direct request.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1654
CVE-2005-1668	Access privileged functionality using direct request.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1668
CVE-2002-1798	Upload arbitrary files via direct request.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1798

Notes

Relationship Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection. Theoretical "Forced browsing" is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically "authentication bypass" or "path disclosure," although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.

分类映射

映射的分类名	ImNode ID	Fit	Mapped Node Name
PLOVER			Direct Request aka 'Forced Browsing'
OWASP Top Ten 2007	A10	CWE More Specific	Failure to Restrict URL Access
OWASP Top Ten 2004	A1	CWE More Specific	Unvalidated Input
OWASP Top Ten 2004	A2	CWE More Specific	Broken Access Control
WASC	34		Predictable Resource Location
Software Fault Patterns	SFP30		Missing endpoint authentication

VULHUB ™