1. Home
  2. Weaknesses
  3. CWE-425

CWE-425: Direct Request ('Forced Browsing')

ID CWE-425
Abstraction Base
Structure Simple
Status Incomplete
Number of CVEs 144
Detail CAPEC Dashboard Vulnerabilities Web & Social
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.

Modes of Introduction

Phase Note
Implementation
Operation

Applicable Platforms

Type Class Name Prevalence
Language Not Language-Specific
Technology Web Based

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-862 Missing Authorization Class Simple Incomplete
CWE-1003 Weaknesses for Simplified Mapping of Published Vulnerabilities Incomplete CWE-862 Missing Authorization Class Simple Incomplete
CWE-1000 Research Concepts Draft CWE-288 Authentication Bypass Using an Alternate Path or Channel Base Simple Incomplete
CWE-1000 Research Concepts Draft CWE-424 Improper Protection of Alternate Path Class Simple Draft
CWE-1000 Research Concepts Draft CWE-471 Modification of Assumed-Immutable Data (MAID) Base Simple Draft
CWE-1000 Research Concepts Draft CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') Variant Simple Draft

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org
# ID Name Weaknesses
CAPEC-87 Forceful Browsing CWE-425
CAPEC-127 Directory Indexing CWE-425
CAPEC-143 Detect Unpublicized Web Pages CWE-425
CAPEC-144 Detect Unpublicized Web Services CWE-425
CAPEC-668 Key Negotiation of Bluetooth Attack (KNOB) CWE-425

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date