CWE-425: Direct Request ('Forced Browsing')
Official CWE-425 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.
Glexia's Take
CWE-425: forced browsing
Direct Request ('Forced Browsing') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Confidentiality,Integrity,Availability,Access Control: Read Application Data,Modify Application Data,Execute Unauthorized Code or Commands,Gain Privileges or Assume Identity
Developer Pattern
CWE-425 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Confidence
high confidence from CWE-425, 4.20.
Official CWE Definition
CWE-425: Direct Request ('Forced Browsing')
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.
Remediation
- Architecture and Design,Operation: Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
- Architecture and Design: Consider using MVC based frameworks such as Struts.
Detection
- Code review
- SAST
- DAST
- Focused regression tests
Mappings
Related CVEs, CWEs, and ATT&CK context
Related CWEs
- CWE-288: Authentication Bypass Using an Alternate Path or Channel
- CWE-424: Improper Protection of Alternate Path
- CWE-471: Modification of Assumed-Immutable Data (MAID)
- CWE-862: Missing Authorization
- CWE-862: Missing Authorization
- CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.