logo

Direct Request ('Forced Browsing')

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when a web application fails to verify user permissions for every protected page, file, or API endpoint, allowing attackers to access them directly.

Extended Description

Direct Request vulnerabilities happen because developers often assume users will only navigate through the intended application flow, like clicking buttons in a set sequence. They place authorization checks only at those expected entry points, forgetting that a user can simply type or forge a request to any URL or endpoint the server knows. This creates an insecure direct object reference (IDOR) risk, where attackers can 'force browse' by guessing or discovering hidden paths to administrative panels, configuration files, user data, or backend scripts. To prevent this, every single restricted resource must independently validate that the current session has explicit permission to access it, regardless of how the request was made.
Common Consequences 1
Scope: ConfidentialityIntegrityAvailabilityAccess Control

Impact: Read Application DataModify Application DataExecute Unauthorized Code or CommandsGain Privileges or Assume Identity
Potential Mitigations 2
Phase: Architecture and DesignOperation
Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
Phase: Architecture and Design
Consider using MVC based frameworks such as Struts.
Demonstrative Examples 1
If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.

Code Example:

Attack
JSP
jsp
Observed Examples 13
CVE-2022-29238Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories.
CVE-2022-23607Python-based HTTP library did not scope cookies to a particular domain such that "supercookies" could be sent to any domain on redirect.
CVE-2004-2144Bypass authentication via direct request.
CVE-2005-1892Infinite loop or infoleak triggered by direct requests.
CVE-2004-2257Bypass auth/auth via direct request.
CVE-2005-1688Direct request leads to infoleak by error.
CVE-2005-1697Direct request leads to infoleak by error.
CVE-2005-1698Direct request leads to infoleak by error.
CVE-2005-1685Authentication bypass via direct request.
CVE-2005-1827Authentication bypass via direct request.
CVE-2005-1654Authorization bypass using direct request.
CVE-2005-1668Access privileged functionality using direct request.
CVE-2002-1798Upload arbitrary files via direct request.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Web Based : Undetermined
Modes of Introduction
Implementation
Operation
Related Attack Patterns
Alternate Terms

forced browsing

The "forced browsing" term could be misinterpreted to include weaknesses such as CSRF or XSS, so its use is discouraged.
Related Weaknesses
ChildOf: Missing Authorization (CWE-862)
ChildOf: Missing Authorization (CWE-862)
ChildOf: Authentication Bypass Using an Alternate Path or Channel (CWE-288)
ChildOf: Improper Protection of Alternate Path (CWE-424)
CanPrecede: Modification of Assumed-Immutable Data (MAID) (CWE-471)
CanPrecede: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') (CWE-98)
Taxonomy Mapping
  • PLOVER
  • OWASP Top Ten 2007
  • OWASP Top Ten 2004
  • OWASP Top Ten 2004
  • WASC
  • Software Fault Patterns
Notes
RelationshipOverlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection.
Theoretical"Forced browsing" is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically "authentication bypass" or "path disclosure," although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.