CAPEC-87: Forceful Browsing

ID CAPEC-87

Typical Severity High

Likelihood Of Attack High

Status Draft

An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.

https://capec.mitre.org/data/definitions/87.html

Weaknesses

# ID	Name	Type
CWE-285	Improper Authorization	weakness
CWE-425	Direct Request ('Forced Browsing')	weakness
CWE-693	Protection Mechanism Failure	weakness

Taxonomiy Mapping

Type	# ID	Name
WASC	34	Predictable Resource Location
OWASP Attacks		Forced browsing